This serious problem was originally discovered in May by UpGuard’s security research team. In a post on the UpGuard blog and a Wired report, the company explains how organizations using Power Apps created the apps with inappropriate data permissions.
“We found one of these applications that was incorrectly configured to expose data and we thought, we’ve never heard of this, is it something isolated or is it a systemic problem?” UpGuard Vice President of Cyber Research Greg Pollock said “Due to the way the Power Apps portal product works, it’s very easy to do a search quickly and in that same survey we found that there are tons of them exposed.”
Power Apps allows companies to easily create their apps and websites without having a formal coding experience. Organizations implicated in the breach including Ford, American Airlines, JB Hunt and state agencies in Maryland, New York and Indiana used the site to gather data for a variety of purposes, including organizing vaccination efforts.
Power Apps provides tools to quickly compare the type of data needed in these projects, but by default makes this information accessible to the public.
The mechanism of this ‘breach’ is interesting as it blurs the line between what is a software vulnerability and what is merely a wrong choice in user interface design.
UpGuard says that Microsoft doesn’t consider this a vulnerability, as it claims that users are to blame for not correctly configuring their application’s permissions. As far as we were able to find out, Microsoft has changed despite everything now its default permissions settings responsible for this exposure.