Connect with us

News

An app-building tool from Microsoft somehow leaked data from over 38 million people

Thankfully, it doesn’t seem that any of this data was exploited.

microsoft logo on blurred background
Image: KnowTechie

An app-building tool created by Microsoft has leaked the data of roughly 38 million people online. The reason for the leaks? Improperly configured privacy settings, which were set to give public API access by default.

The security company that discovered the leak says there’s no evidence that data was exploited, and Microsoft has since fixed the issue.

Back in May of this year, security researchers at UpGuard noticed one such app created by Microsoft’s Power Apps platform that was “misconfigured to expose data.” They wondered if it was just that one app, or if it was a “systemic issue” on the platform.

Well, it didn’t take long before they realized it was systemic, with organizations like Ford, American Airlines, J.B. Hunt, and multiple state agencies from Maryland, New York City, and Indiana all exposing user data publicly.

Even Microsoft wasn’t immune, with a handful of old databases exposed to the public. That data ranged from names, phone numbers, and even social security numbers, and even some medical data as some of the sites were being used to organize COVID-19 vaccination efforts.

If you’ve never heard of Power Apps before now, you’re not alone. We had to dig into the platform as well, and found that it’s a no-code way to make simple websites or apps, covering both the public-facing site and the backend that handles the data. While the developer docs for the permissions do talk about the issues regarding misconfiguration, the default when these feeds are enabled is that anyone can view them.

Microsoft eventually created a tool to audit Power Apps portals for the correct table permissions and is planning changes to the platform so that table permissions will be enforced by default. That should stop this issue from happening in the future, but it’s a stark reminder that well-intentioned default settings can go awry.

Have any thoughts on this? Let us know down below in the comments or carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

Comments

More in News