Over one thousand web apps using Microsoft Power Apps have mistakenly exposed 38 million records online, including sensitive data relating to a number of coronavirus contact tracing platforms, vaccination registrations, job application portals, and employee databases.
Wired reported that a thousand web apps have accidentally exposed 38 million records online, including data from coronavirus contact tracing platforms, vaccinations sign-ups, job portals, and employee databases. The records included a wide array of sensitive information including phone numbers, home addresses, social security numbers, and vaccination status. The exposure of sensitive data was caused by the misconfiguration of Microsoft’s Power Apps tool, which is used to manage the database for many apps and web services.
Microsoft CEO Satya Nadella
A number of major companies and organizations were affected by the leak including American Airlines, Ford, J.B. Hunt, the New York City Municipal Transportation Authority, the Maryland Department of Health, and New York City public schools.
WAYNE, MI – DECEMBER 14: Workers build a Ford Focus on the assembly line at the Ford Motor Co.’s Michigan Assembly Plant December 14, 2011 in Wayne, Michigan. Ford released details about the electrification of the Michigan Assembly Plant that will power production in part by one of the largest solar energy generator systems in order to produce their new C-MAX Hybrid and C-MAX Energi electric vehicles.
The data was all stored in Microsoft’s Power Apps portal service which is used to create web or mobile apps for eternal use. Power Apps portals can be used to create both public-facing sites and data management backends for signup systems including job application portals and even vaccine registration sites.
The security firm Upguard began investigating a number of Power Apps portals in May, as it appeared that they had publicly exposed private data. None of the exposed data appears to have been compromised, but the discovery is still major and reveals a huge oversight in the design of the Power Apps portals. Upguard found that when enabling certain APIs on Power Apps, the platform defaulted to making the corresponding data publicly accessible.
Greg Pollock, UpGuard’s vice president of cyber research, commented: “We found one of these that was misconfigured to expose data and we thought, we’ve never heard of this, is this a one-off thing or is this a systemic issue? Because of the way the Power Apps portals product works, it’s very easy to quickly do a survey. And we discovered there are tons of these exposed. It was wild.”