Microsoft’s Power Apps portals leaked 38 million records ranging from COVID-19 vaccination status, Social Security numbers and email addresses

A recent report states that Microsoft Power Apps portals have been exposing sensitive information for months; the records on display include social security numbers, emails and even proof of vaccination against COVID-19. To make matters worse, the leaked information can be linked to customers, partners and contractors of organizations such as American Airlines, Ford, the Indiana Department of Health and New York State public schools.

As some users will recall, Power Apps is described by Microsoft as a set of applications and services for a fast development environment that allows you to create custom applications for each organization. This tool is used by many developers to share data on-premises and in the cloud.

According to the report by the firm UpGuard Research, the Power Apps web management portal inadvertently exposed the data of 47 organizations, which equates to 38 million personal records. The report mentions that this is because Power Apps administrators are forced to set their information to public or private.

“The leak is related to the way the platform plays with the use of the Open Data Protocol (OData) and the API. For example, some data managed within the platform must necessarily be public, while developers are allowed to keep information private,” the report states.

The researchers say the incident involves sensitive information that should be set to private: “The main problem is that Microsoft’s configuration options for sharing data and storing sensitive information creates the possibility of data breaches,” the experts add.

Most seriously, the researchers consider, these configuration errors are so common that they can be considered a systemic practice: “Evidence suggests that the warnings included by Microsoft do not work to avoid the consequences of misconfigurations, so virtually all users would be affected.”

The company notified Microsoft of its findings hoping that some changes would be made, so they were surprised by the company’s stance. The tech company mentions that this is not a bug, but a configuration option, so they consider that Power Apps works as expected and the case was closed.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.