Skip to main content

Microsoft Power Apps Exposes 38 Million Sensitive Data Records

N

Nyakundi Report

Newsroom 1 min read

This archive report was first published on 24 August 2021.

On May 24, Upguard Research discovered a critical issue involving the OData API for a Power Apps portal, which exposed 38 million sensitive data records.

According to Upguard, the primary issue was that all data types were public when some data, like personal identifying information, should have been private.

Upguard submitted a vulnerability report to the Microsoft Security Resource Center on June 24, 2021, but Microsoft did not take any serious action until after UpGuard notified some of the portals that suffered from the most severe exposures.

Many of Microsoft's own portals were affected by the security lapse, which included American Airlines, Microsoft, J.B. Hunt, and governments of Indiana, Maryland, and New York City.

Since getting into action, Microsoft has now enabled table permissions by default for Power Apps portals and released a tool for users to self-diagnose their portals.

Microsoft Power Apps are low-code tools to design apps and create public and private websites, but the company's weak default configurations put sensitive data at risk.

Be the first to react

Support

Support this reporting

M-Pesa support recorded against this story.

Send support →

Stay close

Get the briefing

Major updates by email. No spam.

Get email brief →

Share

Save share card

Download a clean portrait card for sharing.

Save image →