Home
Artists
Search Recent Random
Posts
Search DMs Popular Hash Lookup Tags Random
Importer
Import FAQ
Register
Partychan SimpleX Chat ThePornDude
Home Artists Posts Import Register
Join the new SimpleX Chat Group!

Microsoft Power Apps And The Power of Defaults - ThreatWire (Patreon)

Published:
2021-08-24 20:01:01
Imported:
2023-10

Downloads

Content

By Shannon Morse, ThreatWire

Security research firm Upguard discovered a flaw in Microsoft’s Power Apps portals that was exposing data to the internet. They found about 38 million records were exposed from over a thousand different web apps that many companies were using, including 750,000 datasets from Indiana’s contact tracing system for Covid-19. Unfortunately, Indiana’s Department of Health described this as “unauthorized access” from Upguard, even though it was a data leak that Upguard was alerting them to.

Microsoft’s Power Apps portal service is a dev platform that allows you to easily create mobile or web apps and spin them up quickly - so they’re great for setting up a public facing site and a data management backend for large companies, government agencies, or small businesses.

Now that this flaw has been fixed - it was originally found in May by the researchers - we know that several companies were leaving this data exposed. That includes American Airlines, Ford, Maryland Department of Health, the NYC Municipal Transportation Authority, NYC public schools, and Indiana’s Dept of Health. Some of these web apps were being used for job application portals, employee databases, vaccination appointment sign ups, and contact tracing. Which means some of the data exposed is very sensitive, like home addresses, social security numbers, phone numbers, emails, date of birth and more.

Upguard found that when spinning up some Power Apps APIs, they defaulted to leaving data publicly accessible, and you have to manually set up privacy settings, so many companies and agencies just never did that. Microsoft responded after Upguard reported the issue to them by changing Power Apps portals to default to storing data privately in their API. They also released a tool so users can easily tell if their app is exposing data.

Almost all of the sensitive data is now secured due to Upguard contacting customers of Power Apps directly to disclose this info before publicizing this news to media outlets.

Power Apps:

https://www.upguard.com/breaches/power-apps

https://www.wired.com/story/microsoft-power-apps-data-exposed/

https://threatpost.com/covid-contact-tracing-exposed-fake-vax-cards/168821/

https://apnews.com/article/technology-health-indiana-coronavirus-pandemic-557a7dce07a39bd0ec9b36140cc53219

Comments

No comments found for this post.