Article

Microsoft's Power Apps Portals customers were exposing millions of private records, security firm reveals

by Jason Gumpert
Editor, MSDynamicsWorld.com

A cybersecurity firm has revealed a broad data security risk in Microsoft Power Apps Portals related to access to OData APIs. The issue, which led to the public exposure of sensitive data across many public-facing portals, impacted hundreds of portals and exposed a reported 38 milllion records including personal information of customers, citizens, and employees.

The firm, UpGuard, reports that the data access issue has largely been addressed through their own outreach to portal owners and through actions taken by Microsoft after learning of the exposures. Portals customers observed to have been inadvertently exposing their data publicly included American Airlines, Ford, J.B. Hunt, state and local government agencies.

The root of the issue was security configuration of OData API feeds for portals, the UpGuard team explained in their report. Specifically, Microsoft Dataverse tables used to store portal data about entities like customers, employees, vendors, constituents, or almost anything else, can be configured for anonymous access via OData. While portals have a range of security controls, the UpGuard team reported that controls for retrieving data on tables via OData could easily be misconfigured to allow anonymous access. (Changes to those configuration settings have now been applied by Microsoft).

The UpGuard team identified these vulnerabilities in May and June of 2021, they report. The findings began with a discovery of anonymous access to personal data on a single portal. After that portal was secured by the owner, the team explored whether other sites powered by Power Apps Portals had the same issue. They found other portals using the common Microsoft subdomain naming patterns and checked each for an OData endpoint and the lists available to anonymous visitors.

Using this technique, the team uncovered sensitive data on public-facing portals used by the US government to track COVID-19 tracing or vaccination and a portal with job applicant data, including Social Security Numbers. In all, they report, they identified over a thousand anonymously accessible lists across a few hundred portals.

With the findings, including exposed data from these portals, the team alerted Microsoft. They explained:

FREE Membership Required to View Full Content:

Joining MSDynamicsWorld.com gives you free, unlimited access to news, analysis, white papers, case studies, product brochures, and more. You can also receive periodic email newsletters with the latest relevant articles and content updates.
Learn more about us here

Get full access
Automotive Dataverse (CDS) Government Healthcare Power Apps Portals Power Platform Security Travel & Leisure
About Jason Gumpert

As the editor of MSDynamicsWorld.com, Jason oversees all editorial content on the site and at our events, as well as providing site management and strategy. He can be reached at jgumpert@msdynamicsworld.com.

Prior to co-founding MSDynamicsWorld.com, Jason was a Principal Software Consultant at Parametric Technology Corporation (PTC), where he implemented solutions, trained customers, managed software development, and spent some time in the pre-sales engineering organization. He has also held consulting positions at CSC Consulting and Monitor Group.

More about Jason Gumpert