Personal Data Exposed from Microsoft’s Power Apps
Microsoft’s Power Apps portal has been exposing personal data for months, including COVID-19 vaccination status, social security numbers and email addresses. It is being classified as a “platform issue,” and mostly those who are doing business with American Airlines, Ford, the Indiana Department of Health, and New York City public schools.
Although 38 million personal records have been exposed, Microsoft doesn’t consider this a vulnerability, but rather a configuration issue. It has been found that the data leak occurred due to how the Power Apps platform juggles between the need to keep certain data private and keep certain data public. Researchers figured out that sensitive private user data, which should be kept private, was still publicly accessible. The configuration options for Microsoft’s Power Apps data sharing and storing sensitive data has been found to potentially leak data.
So what is Microsoft doing to help their customers? Microsoft released a tool to check Power Apps portals for leaky data. Another change they hope to instill is changing the product so that table permissions will be automatically enforced. As always, it’s important to keep a close eye on your personal data, as well as follow any guidelines or suggestions Microsoft puts forward!
More information on Portal Checker: Analyze and resolve Portal Checker diagnostics results – Power Apps | Microsoft Docs
Categorised in: IT Threat