Security News > 2021 > August > Microsoft Power Apps misconfiguration exposes data from 38 million records
A lack of proper security configuration with Microsoft's Power Apps has led to the exposure of data from some 38 million records, according to security firm UpGuard.
Among the organizations whose data was exposed were government agencies in Indiana, Maryland and New York City, as well as private companies such as American Airlines, J.B. Hunt and even Microsoft itself.
Microsoft Power Apps is a low-code development tool designed to help people with little programming experience build web and mobile apps for their organizations.
As part of the process, Microsoft allows customers to set up Power Apps portals as public websites to give internal and external users secure access to the required data.
To allow access to the data, Power Apps uses an OData API. The API retrieves data from Power Apps lists, which pull the data from tables in a database.
The report contained the steps required to identify OData feeds that allowed anonymous access to list data and URLs for accounts that were exposing sensitive data.