According to a cybersecurity vendor, the misconfiguration of Microsoft Power Apps, a low-code app design tool, has exposed up to 38 million personal records at 47 organizations, including American Airlines and Ford.
Among the personal records exposed at organizations were COVID-19 vaccination appointment information, Social Security numbers, employee IDs, and email addresses, according to cybersecurity risk management firm UpGuard. The company said that J.B. Hunt, the Maryland Department of Health, and Indiana were also among the organizations with misconfiguration errors.
Power Apps allows users with little programming experience to create cloud-hosted apps quickly for things such as online sales and scheduling. In addition, the Power Apps portals enable user organizations to allow public access to the app data. “In cases like registration pages for COVID-19 vaccinations, there are data types that should be public, like the locations of vaccination sites and available appointment times, and sensitive data that should be private, like the personally identifying information of the people being vaccinated,” UpGuard wrote in a blog post.
While some data-sharing is appropriate and the ability to share data is a feature promoted by Microsoft, it appears that user organizations don’t fully understand the implications of opening up data feeds, UpGuard added.
“The number of accounts exposing sensitive information, however, indicates that the risk of this feature, the likelihood and impact of its misconfiguration, has not been adequately appreciated,” the company wrote. “On one hand, the product documentation accurately describes what happens if an app is configured in this way. On the other hand, empirical evidence suggests a warning in the technical documentation is not sufficient to avoid the serious consequences of misconfiguring” the data-sharing feature.
Some cybersecurity experts suggested that organizations may be using Power Apps without thoroughly reading the documentation or understanding the implications of making collected data publicly available.
Companies using low-code tools should have their “security architects and principals to carefully read through Microsoft’s documentation, taking note of what potential security issues may exist, even and especially when they are not explicitly described as being a security vulnerability, improper disclosure of [personal data], and so forth,” said Aryeh Goretsky, distinguished researcher at ESET, an internet security vendor. “Likewise, Microsoft needs to make its documentation implicitly clear that using their tools in such a fashion can result in the disclosure” of personal information.
UpGuard notified Microsoft and the affected organizations in June and July before releasing its description of the problem on Aug. 23.
Microsoft said affected customers were notified of the potential data leaks.
“Our products provide customers flexibility and privacy features to design scalable solutions that meet a wide variety of needs,” a Microsoft representative told the Washington Examiner. “We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs.”
A “small subset” of the Power Apps customers configured the portal as described in the UpGuard blog post, and Microsoft worked with those customers to use “the privacy settings consistent with their needs,” Microsoft added.
However, some cybersecurity experts aren’t fans of low-code app development. These tools lower the bar regarding the skills needed to develop apps. Still, some users may not pay attention to issues such as security, said Tom Hickman, chief product officer of ThreatX, an app security vendor.
“I have a curmudgeonly viewpoint about low-code platforms like Power Apps,” Hickman told the Washington Examiner. The ability to develop apps quickly is “great when it comes to reducing friction in enterprises but terrible when it comes to meeting the responsibility of data stewardship.”
Organizations must remember their responsibilities for managing the data that their low-code apps collect, he added. Hickman said that good app development includes providing security in-depth, including steps such as security assessments during development, pen-testing in pre-production, and running dynamic scans.
“Just because a platform like the Microsoft Power Platform offers shortcuts in your software development road map, it doesn’t offer the same shortcuts in your security program,” he added.
Organizations using low-code tools need to step up their internal security processes, added Goretsky from ESET.
“This is the kind of thing I might expect to be found during an audit … by the red team of the company’s security department looking for vulnerabilities in their websites and applications,” he told the Washington Examiner.
