Default permissions settings in an app-building tool from Microsoft have been blamed for exposing the data of 38 million people online. Information including names, email addresses, phone numbers, social security numbers, and COVID-19 vaccination appointments was inadvertently made publicly accessible by 47 different companies and government entities using Microsoft’s Power Apps platform. There’s no evidence of the data being exploited, though, and the underlying issue has now been fixed by Microsoft.
The problem was originally discovered in May by security research team UpGuard. In a recent blog post from UpGuard and report from Wired, the company explains how organizations using Power Apps created apps with improper data permissions.
“We found one of these [apps] that was misconfigured to expose data and we thought, we’ve never heard of this, is this a one-off thing or is this a systemic issue?” UpGuard’s vice president of cyber research Greg Pollock told Wired. “Because of the way the Power Apps portals product works, it’s very easy to quickly do a survey. And we discovered there are tons of these exposed. It was wild.”
Power Apps allows companies to build simple apps and websites without formal coding experience. Organizations implicated in the breach — including Ford, American Airlines, J.B. Hunt, and state agencies in Maryland, New York City, and Indiana — were using the site to collect data for various purposes, including organizing vaccination efforts. Power Apps offers tools for quickly collating the sort of data needed in these projects, but, by default, leaves this information publicly accessible. This is the exposure UpGuard discovered.
The mechanism of this particular ‘breach’ is interesting, as it blurs the line between what is a software vulnerability and what is merely poor choice in user interface design. UpGuard says Microsoft’s position is that this was not a vulnerability as it was users’ fault for not properly configuring the apps’ permissions. But, arguably, if you are making an app designed to be used by people with little coding experience, then making things as safe as possible by default would seem to be the smart move. As reported by Wired, Microsoft has now changed the default permissions settings responsible for the exposure.