Due to some apparent poor choices in the default configuration settings of a piece of Microsoft software, 38 million records of private personal information have been exposed encompassing both major US corporations and government agencies. Apps and websites created with Microsoft Power Apps appear to list all data types as public unless the default settings are changed. The data leak exposed several coronavirus tracing and vaccination portals, as well as at least one job applicant database that contained Social Security numbers.
Microsoft Power Apps default settings, left unchanged, expose all stored data
The data leak was discovered by security researchers with UpGuard Research and disclosed to the public this week. The issue stems from Microsoft Power Apps, a “low code” simplification tool for designing apps and websites with little programming. When an app is created that calls on a certain feature used to pull information from tables, the default settings make all of the information in the stored records available to anyone. The settings have to be manually configured to limit permissions.
The breach of COVID-19 vaccination databases illustrates the issue with this mix of information. Some apps want to allow certain types of data to be pulled freely by the general public, such as appointment times and vaccination location sites. But the same databases also contained private information such as names, email addresses and vaccination status.
The 38 million collective records exposed in the data leak come from a wide variety of sources. Major names in private industry, such as American Airlines and J.B. Hunt along with Microsoft themselves, appear to have had Microsoft Power Apps creations in use. So did government bodies in New York City, Indiana and Maryland.
Microsoft Power Apps creations are impacted only if OData (Open Data Protocol) APIs have been enabled for retrieving data from Power Apps lists. Administrators need to set table permissions manually after enabling this ability, or anonymous access will be allowed to the full set of records that the lists pull from by default. An attacker could use the OData protocol to view this information in a web browser, a client-side web application, or import it directly into Excel. Meant to be easy for users to find, these portals are often indexed by search engines.
UpGuard’s researchers indicated that Microsoft Power Apps comes with preset schemas that encourage the storage of various types of sensitive personal information, and given this a note in the technical documentation reminding the end user to set table permissions was not an adequate safeguard against data leaks. Microsoft was privately informed of the issue in May, and made changes in June ahead of the public announcement. The current updated version of Microsoft Power Apps now enables table permissions by default when the OData API is used. The company also issued a tool that automatically checks portals for exposed records.
Chris Clements, VP of Solutions Architecture for Cerberus Sentinel, sees this incident as symbolic of the simple (but potentially devastating) security mistakes that can be made as companies try to quickly shift to remote work models: “The rush to the cloud has exposed many organizations’ inexperience with the various cloud platforms and risks from their default configurations. Developing in a public cloud can have efficiency and scaling advantages, but it also often removes the “Safety net” of development conducted inside internal networks protected by outside access by the perimeter firewall. It’s critical that company’s “look before they leap” with migrations or new development on cloud platforms to fully understand the potential security gotchas or risks that they might introduce. It’s also instructive for cloud vendors to understand the risks that their chosen default settings have on customers and change them to provide higher security by default even if it reduces upfront convenience.”
Data leaks present at high-profile targets
At least two state governments were compromised by a failure to set Microsoft Power Apps permissions: Indiana and Maryland. The Maryland Department of Health had the contact information of persons scheduled for Covid-19 vaccinations exposed; the Indiana Department of Health had similar exposure.
Several city governments also had data leaks, most notably the New York City Municipal Transportation Authority and the NYC Department of Education. Each of these exposed personal contact information stored for various purposes, including 291,955 records that may have contained the personal information and home addresses of minors. Denton County, TX also saw a data leak from its vaccination tracking system.
Among the private companies included in the data leak were American Airlines, Ford, J.B. Hunt and Microsoft. Most of these had databases containing contact information exposed, and J.B. Hunt was the one that potentially exposed 253,288 Social Security numbers and 51,028 drug screening results belonging to job applicants. Microsoft had the greatest variety of these vulnerable portals in use throughout the company, however, in areas such as “Global Payroll Services” and the “Customer Insights Portal.” The UpGuard researchers issued private warnings to these companies in June along with the government agencies named.
It is not clear if any of this data was exposed to threat actors. However, it is hard to tell given that poorly configured records could be easily located and accessed via a simple Google search. The breach window is also unclear. Microsoft Power Apps has been available to the general public since late 2016. Microsoft’s position is that this is not actually a “data leak” but a case of end users not using the product in the way it was intended.
Alicia Townsend, technology evangelist with OneLogin, notes that this approach has been something of a trend over time with Microsoft products: “This touches on a couple of historically interesting facts. One, a lot of Microsoft products in the past have started off giving wide access to data and resources by default. It was left up to users and administrators to take action and lock things down. This approach has definitely changed over at least the last decade or so, but ease of use and access still tend to lead the way, instead of developing tools and reports that make it easier for admins and users to see who has access to what information and adjust as necessary. This then leads to the other fact that we have stated over and over again, that it is the responsibility of everyone to both be aware of and educate others on the importance of protecting people’s private information.”
The extent of damage is also not well known at this point as UpGuard did not make a comprehensive list of exposed records, simply naming a handful of the biggest organizations found with relatively simple searches. Microsoft Power Apps appears to be popular with health agencies looking to quickly implement vaccination tracking systems as the pandemic unfolds.
Though Microsoft can be held to account for not anticipating what was likely to be a common mistake, some security researchers point out that misconfigurations of this nature are extremely common and should be anticipated anyway by implementing layers of security.
Josh Rickard, Security Solutions Architect at Swimlane, endorses automated systems: “It is essential for major organizations, like the ones involved in this data exposure, to centralize and automate their detection, response and investigation protocol into a single platform. The power of security automation allows organizations to improve the level of protection for valuable customer data. Implementing real-time security automation through SOAR solutions allows for automated incident response and execution of security-related tasks without the chance of human error, further ensuring the privacy of organizations’ valued customers and their data.” And Ruston Miles, founder and advisor at cybersecurity company Bluefin, reiterates the importance of encrypting sensitive data: “Encryption and tokenization masks the data so that it is not readable and therefore, not saleable on the Dark Web. Companies can ensure that if a breach or data leak happens, that encryption or tokenization are in place to protect the data from compromise. It’s like the old westerns where the robbers steal the safe from the bank, only to find out later that the safe is too strong for them to break into.”