Just one more Thousands of web apps mistakenly exposed 38 million records on the open internet, including data from a number of Covid-19 contact tracing platforms, vaccination registrations, application portals and employee databases. The data included a range of sensitive information, from people’s phone numbers and personal addresses to social security numbers and Covid-19 vaccination status.
The incident affected large businesses and organizations, including American Airlines, Ford, transportation and logistics company JB Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority and New York public schools. And while the data exposures have since been corrected, they show how a bad configuration setting in a popular platform can have far-reaching consequences.
The exposed data was all stored in Microsoft’s Power Apps portal service, a development platform that makes it easy to build web or mobile applications for external use. If you need to quickly create an appointment registration site for vaccines during, for example, a pandemic, Power Apps portals can generate both the public site and the data management backend.
Starting in May, researchers at security firm Upguard began investigating a large number of Power Apps portals that publicly exposed data that should have been private, including in certain Power Apps created by Microsoft for its own purposes. None of the data is known to have been compromised, but the discovery is still significant as it reveals an oversight in the design of the Power Apps portals that has since been fixed.
In addition to managing internal databases and providing a foundation for developing applications, the Power Apps platform also provides out-of-the-box application programming interfaces to interact with that data. But the Upguard researchers realized that when activating these APIs, the default platform made the corresponding data publicly available. Enabling privacy settings was a manual process. As a result, many customers misconfigured their applications leaving the default insecure.
“We found one that was misconfigured to expose data and we thought, we’ve never heard of it, is it a one-off thing or is it a systemic issue? Said Greg Pollock, vice president of cyber research at UpGuard. “Because of how the Power Apps Portals product works, it is very easy to quickly complete a survey. And we found out that there are tons of it on display. It was wild.
The types of information the researchers came across were very varied. JB Hunt’s exposure was job seeker data that included Social Security numbers. And Microsoft itself has exposed a number of databases in its own Power Apps portals, including an older platform called “Global Payroll Services”, two “Business Tools Support” portals and a “Customer Insights” portal.
The information was limited in many ways. Just because the state of Indiana, for example, has exposure to the Power Apps portal doesn’t mean that all state-owned data has been exposed. Only a subset of contact tracing data used in the state’s Power Apps portal was involved.
Misconfiguration of cloud-based databases has been a serious problem over the years, exposing huge amounts of data to inappropriate access or theft. Big cloud companies like Amazon Web Services, Google Cloud Platform, and Microsoft Azure have all taken steps to store customer data privately by default early on and report potential configuration errors, but the industry has failed. prioritized the problem only recently.
After years of studying cloud misconfigurations and data exposure, Upguard researchers were surprised to discover these issues on a platform they had never seen before. Upguard has attempted to investigate the exhibits and inform as many affected organizations as possible. The researchers could not access all the entities because there were too many of them, so they also disclosed the results to Microsoft. In early August, Microsoft announced that Power Apps portals will now store API data and other information privately by default. The company has also released a tool that customers can use to check their portal settings. Microsoft did not respond to a request for comment from WIRED.