Microsoft Power Apps misconfiguration exposes 38 million records

Sensitive data including contact tracing, COVID vaccine status as well as names and email addresses have been leaked

Default settings on Microsoft Power Apps portals have led to several data leaks, with 38 million records held by 47 entities, including government bodies and corporations, inadvertently made publicly available.

Microsoft Power Apps is a suite of tools and services, as well as a central data platform, that provides a rapid development environment for organisations to build custom apps to suit their particular needs. Power Apps portals are a way to create public websites that give internal and external users access to data. 

The type of data exposed varies between the portal, according to research published by UpGuard, and includes sensitive information used for COVID-19 contact tracing, vaccine appointments, and US social security numbers. The exposed data also includes names and email addresses.

Various entities swept up in the leaks include local US governmental bodies such as Indiana, Maryland and New York City, as well as private companies like American Airlines, JB Hunt, as well as Microsoft itself.

“While we understand (and agree with) Microsoft’s position that the issue here is not strictly a software vulnerability, it is a platform issue that requires code changes to the product, and thus should go in the same workstream as vulnerabilities,” the researchers said. 

“It is a better resolution to change the product in response to observed user behaviours than to label systemic loss of data confidentiality an end user misconfiguration, allowing the problem to persist and exposing end users to the cybersecurity risk of a data breach." 

The problem lies with Open Data Protocol (OData) APIs, which retrieves data from Power Apps lists which, in turn, pull data from tables and limit access to the list data that a user can see based on table permissions.  

Product documentation for Power Apps describes the conditions under which OData APIs can be made publicly accessible, with marketing material suggesting organisations can access their data anonymously or through commercial authentication. 

If, however, configurations are not set and the OData feed is enabled, anonymous users can access list data freely. The number of accounts exposing sensitive data reveals the risk attached to this feature and the likelihood of misconfiguring permissions, which hasn’t been fully appreciated until now. 

Adding to concerns is the fact that various security reviews conducted by some of the affected entities didn’t catch these misconfigurations. 

Related Resource

Don’t just educate: Create cyber-safe behaviour

Designing effective security awareness and training programmes

How to define effective security awareness and training programmesDownload now

UpGuard first identified this issue on 24 May and conducted some analysis to determine how serious the issue was. The security firm then submitted a vulnerability report to Microsoft on 24 June, including steps to identify OData feeds that allowed anonymous access to list data, and URLs for accounts exposing sensitive information.

On 29 June, the case was closed and a Microsoft analyst informed UpGuard researchers that the firm had determined this behaviour is considered to be by design. 

After UpGuard began informing affected entities that their data might be exposed, and after finding instances of Microsoft data caught out by this misconfiguration, the firm learned that Microsoft did eventually take action.

Microsoft notified government cloud customers of this issue, and also released a tool for checking Power Apps portals. The firm has also planned changes to the product so that table permissions will be enforced by default.  

"For anyone who digitally processes sensitive information– that is, virtually all companies and government bodies– being prepared for a notification of a data leak or other incident will improve outcomes,” UpGuard continued.

“In some cases, we struggled to get in contact with anyone who would remediate the issue. Providing a designated privacy contact on an easily searchable web page improves that part of the response process. 

“Finally, technology leaders should have a general understanding of the phenomenon of data exposures. As more information is moved online, the frequency of sensitive data being made publicly available increases.”

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

Improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now


Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Dell XPS 15 (2021) review: The best just got better

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022
How to speed up Windows 11
Microsoft Windows

How to speed up Windows 11

7 Jan 2022