About 38 million records from the north of a thousand web applications using Microsoft Power Apps platform It was left exposed online, according to the researchers. The records are said to have included data from COVID-19 Efforts to trace contacts, vaccine records, and employee databases, such as home addresses, phone numbers, Social Security numbers, and vaccination status.
According to data from some major companies and institutions, the accident was revealed wiredAnd Including American Airlines, Ford, Indiana Department of Health and public schools in New York City. The vulnerability is mostly resolved.
Researchers from security firm Upguard began looking into the problem in May. They found that data from several Power apps that were supposed to be private was available to anyone to access if they knew where to look.
Power Apps aims to make it easy for customers to create their own web and mobile applications. It provides application programming interfaces (APIs) for developers to use with the data they collect. However, Upguard found that using these APIs made data obtained through Power Apps public by default, and manual reconfiguration was required to keep the information private.
Upguard He says It submitted a vulnerability report to the Microsoft Security Resource Center on June 24, including links to Power Apps accounts where sensitive data was exposed and steps to identify APIs that enabled anonymous access to data. The researchers worked with Microsoft to show how to reproduce the problem. However, a Microsoft analyst told the company on June 29 that the case had been closed and “they decided this behavior was by design.”
Then Upguard began notifying some of the affected companies and organizations, which moved to shut down their data. I filed an abuse report with Microsoft on July 15th. By July 19, the company said that most of the data from the Power Apps in question, including the most sensitive information, had been made private. Engadget has contacted Microsoft for comment.
There is no indication yet that any of the exposed data has been compromised. Among the most sensitive information left in the public were 332,000 email addresses and Microsoft employee IDs used in payroll, according to Upguard. The company also says that more than 39,000 records have been exposed from portals related to Microsoft Mixed Reality, including usernames and email addresses.
The incident underscores the fact that a misconfiguration, no matter how simple it may seem, can lead to serious data breaches. That doesn’t seem to be the case here, fortunately. However, it does show that developers probably should triple check their settings, especially when connecting an API they didn’t design themselves.
All products recommended by Engadget are handpicked by our editorial team, independently of the parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.