Misconfigured PowerApps Exposes 38M Records
Misconfigured applications built using Microsoft Power Apps platform made 38 million records publicly available on the open web. This is due to a default setting in the platform that enable to access the contents without credentials
Power Apps is a low-code development platform sold by Microsoft that enables business users without extensive programming expertise to quickly create custom applications. Applications built with Power Apps can be used to automate internal business tasks at a company, like copying purchase logs from one database to another. The platform also lends itself to building websites such as customer support portals.
Earlier this year , a website built with PowerApps has been exposing thee contents. This was notified to the Microsoft and it provides an update to mitigate the issue. Over the course 1000 such Power Apps Application seen exposing the data includes Ford, American Airlines and Microsoft itself. This is due to not enabling a key security settings in Power Apps
Applications created with Power Apps keep their information in spreadsheets. Those spreadsheets are hosted in a Microsoft service called Dataverse. Until August, information in applications’ spreadsheets could by default be accessed without a password through an application programming interface. Companies had to specifically enable a privacy setting via the Power Apps management console to prevent Power Apps from making information publicly accessible.
When a developer enables the OData feed on the ‘OData Feed’ list settings tab, they must also activate the ‘Enable Table Permissions’ option on the “General” list settings tab unless they wish to make the OData feed public.
Microsoft changed the Power Apps settings to make application data inaccessible by default. Additionally, Microsoft has released a tool for checking Power Apps portals and planned changes to the product so that table permissions will be enforced by default.