How Were 38 Million Records Exposed from Microsoft’s Power Apps?

Maor Bin, CEO & Co-Founder

August 24th, The Hacker News reported about a massive leak of 38 million records from upwards of a thousand web apps. These records included Microsoft’s own employee information (a.o. home addresses, social security numbers and vaccination status) which were left exposed online for anyone to find. Governmental bodies from places such as Maryland and New York City, as well as private companies such as American Airlines and Ford were said to also have been impacted.  

Researchers from UpGuard found that the exposure came from a default permission setting on Microsoft’s Power Apps platform. Power Apps is a Microsoft-powered development platform that enables individuals to build low-code business apps, for mobile and web use.

One of the options of Power Apps is to enable OData (Open Data Protocol) APIs for retrieving data from Power Apps lists. When an individual would enable the OData feed on the “OData Feed” list settings tab, they had to also activate the “Enable Table Permissions” option on the “General” list settings tab unless they wanted to make the OData feed public. This was due to the default configuration of disabled table permissions. Table permissions enabled, would in fact prevent anonymous data access, but lists ignore these permissions and any custom table permissions unless the individual would activate the table permissions for the list.

The misconfiguration that exposed customers: creating a list in Microsoft
Figure 1: Creating a list

According to the Microsoft documentation: To secure a list, you must configure Table Permissions for the table for which records are being displayed and also set the Enable Table Permissions Boolean value on the list record to true.”

The misconfiguration that exposed customers: Table permissions in Microsoft Power Apps
Figure 2: Microsoft documentation for Table Permissions

When the Table List configurations are not set correctly and the OData feed is enabled, anonymous users can access list data freely, leaving the company exposed.

As a result of the research and report made in June 2021, Microsoft has made changes to Power Apps portals such that table permissions are enabled by default.

This type of leak is not a one-off unfortunately, and as the amount of apps abound and compound with the amount of configurations, organizations need a better way to keep track and ensure SaaS app security.  

SaaS Security Posture Management (SSPM) solutions have risen to the top of the cybersecurity dialogue, as SSPM automated solutions enable companies to continuously monitor and remediate all SaaS apps’ configurations, no matter how seemingly minor, and ensure the company is compliant with industry standards and internal policies.

An SSPM solution alerts an organization when misconfigurations leave them exposed, and helps to prevent the next leak or breach.

About the writer

Maor Bin, CEO & Co-Founder

A former cybersecurity intelligence officer in the IDF, Maor has over 16 years in cybersecurity leadership. In his career, he led SaaS Threat Detection Research at Proofpoint and won the operational excellence award during his IDI service. Maor got his BSc in Computer Science and is CEO and co-founder of Adaptive Shield. Oh and he is a globally-ranked chess player.