US: 38 million records exposed via Microsoft Power Apps misconfiguration
#1
The UpGuard research team has disclosed multiple data leaks stemming from Microsoft Power App portals configured to allow public access. A total of 38 million records have been exposed.

Power Apps are used to build low-code, cloud-hosted business intelligence apps, and Power Apps portals are used to create public websites so internal and external users can gain access to an organization's data. The issue UpGuard is reporting involves the Open Data Protocol (OData) API that is designed to retrieve data from Power Apps lists, used to expose records for display on portals.

In its documentation for Power Apps portals, Microsoft warns OData feeds are public if they are misconfigured. If the correct configurations are not set and the OData feed is enabled, then list data can be freely accessed by anonymous users.

Researchers discovered this is the case for many organizations' data. On May 24, 2021, an UpGuard researcher found the OData API for a Power Apps portal had anonymously accessible list data, including personally identifiable information. A report was submitted to Microsoft on June 24.

UpGuard notified 47 organizations of exposures via the OData API involving personal data. Those affected include governmental bodies such as the state of Indiana, New York City Municipal Transportation Authority and NYC Schools, and the Maryland Department of Health, as well as private entities including American Airlines, Microsoft, and J.B. Hunt.

The types of exposed data vary depending on the portal but include personal data used for COVID-19 contact tracing, COVID-19 vaccination appointments, Social Security numbers for job applicants, employee IDs, and millions of names and email addresses.




https://www.darkreading.com/application-...figuration
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Millions of free VPN user records leaked Resurgence 0 11,796 Jun 28, 2022, 00:54 am
Last Post: Resurgence
  US: Google to pay $100 million to Illinois residents for Photos’ face feature Resurgence 0 11,097 Jun 07, 2022, 23:20 pm
Last Post: Resurgence
  US: FBI searched Americans' digital communications 3.4 million times last year Resurgence 1 11,269 May 21, 2022, 02:32 am
Last Post: antiseptic
  US: IRS, DHS contracted firm that sells location data pulled from apps Resurgence 1 11,259 Feb 22, 2022, 13:40 pm
Last Post: anonemoose
  7 million Israelis have personal data stolen by hacker Resurgence 0 12,035 Sep 08, 2021, 01:17 am
Last Post: Resurgence



Users browsing this thread: 1 Guest(s)