more than one Thousands of web applications erroneously exposed 38 million records on the open Internet, including data from multiple Covid-19 contact tracing platforms, vaccination registries, job application portals, and employee databases. This data includes a range of sensitive information, from people’s phone numbers and home addresses to social security numbers and Covid-19 vaccination status.
The incident affected major companies and organizations, including American Airlines, Ford, transportation and logistics company JB Hunt, Maryland Department of Health, New York City Department of Transportation, and New York City Public Schools. Although the data leakage issue has since been resolved, they indicate that a poor configuration setting in a popular platform can have a profound impact.
The public data is all stored in Microsoft’s Power Apps portal service, which is a development platform that can easily create Web or mobile applications for external use. If you need to quickly launch a vaccine reservation registration site during a pandemic, the Power Apps portal can generate a public-facing site and data management backend.
Starting in May, researchers from the security company Upguard started survey A large number of Power Apps portals disclose data that should be kept confidential, including some Power Apps made by Microsoft for its own purposes. No data is known to have been compromised, but this finding is still important because it revealed an oversight in the design of the Power Apps portal, which has since been fixed.
In addition to managing internal databases and providing the basis for developing applications, the Power Apps platform also provides ready-made application programming interfaces to interact with the data. But Upguard researchers realized that when these APIs are enabled, the platform will openly access the corresponding data by default. Enabling privacy settings is a manual process. As a result, many customers have misconfigured their applications by keeping insecure default settings.
“We found one of the configuration errors to expose data. We thought, we have never heard of this. Is this a one-time thing or a systemic problem?” said Greg Pollock, Vice President of Network Research at UpGuard. “Because of the way the Power Apps portal product works, it is very easy to investigate quickly. We found that there are many such exposures. It is wild.”
The types of information that researchers stumbled upon were very wide. JB Hunt exposed job applicant data including social security numbers. Microsoft itself exposes many databases in its Power Apps portal, including an old platform called “Global Payroll Service”, two “Business Tool Support” portals, and a “Customer Insights” portal.
Information is limited in many ways. For example, the fact that the State of Indiana has made the Power Apps portal public does not mean that all data held by the state has been made public. Only part of the contact tracking data used in the State’s Power Apps portal is involved.
Misconfiguration of cloud-based databases has always been serious problem Over the years, exposed Massive Data Improper access or theft.Major cloud companies such as Amazon Web Services, Google Cloud Platform and Microsoft Azure all own take pace From the beginning, the customer’s data was stored by default and potential misconfigurations were flagged, but the industry has not prioritized this issue until recently.
After years of studying cloud misconfigurations and data exposure, Upguard researchers were surprised to find these problems in platforms they had never seen before. Upguard attempts to investigate the exposure and notify as many affected organizations as possible. However, the researchers were unable to find every entity because there were too many, so they also disclosed the findings to Microsoft. In early August, Microsoft Announce The Power Apps portal now stores API data and other information privately by default.Company also Released a tool Customers can use it to check their portal settings. Microsoft did not respond to WIRED’s request for comment.