Security News > 2021 > August > Microsoft Spills 38 Million Sensitive Data Records Via Careless Power App Configs

For months, Microsoft's Power Apps portals exposed personal data tied to 38 million records ranging from COVID-19 vaccination status, social security numbers and email addresses.

Microsoft describes its Power Apps as a "Suite of apps, services, and connectors, as well as a data platform, that provides a rapid development environment to build custom apps for your business needs." The tool is used by developers to build applications that share data locally or with the cloud.

On Monday, UpGuard Research revealed Microsoft's Power Apps management portal had inadvertently leaked the data of 47 businesses totaling the exposure of 38 million personal records.

How Microsoft's Power Apps Blew It. UpGuard said the data leak is tied to how the Power Apps platform juggles the use of the Open Data Protocol with its application programming interface.

The issue, UpGuard explained, is Microsoft's configuration options for data sharing and storing sensitive data in Power Apps "Create(s) the potential for data leaks."

Over the proceeding weeks, UpGuard continued to find massive data exposures tied to the way Power Apps handled OData via its API. "Microsoft would later take action after we had notified some of the most severe exposures. We spent the next few weeks analyzing the data for indicators of sensitivity and reaching out to affected organizations," according to the UpGuard report.

News URL

https://threatpost.com/microsoft-38-million-sensitive-records-power-app/168885/