+

Cookies on the Business Insider India website

Business Insider India has updated its Privacy and Cookie policy. We use cookies to ensure that we give you the better experience on our website. If you continue without changing your settings, we\'ll assume that you are happy to receive all cookies on the Business Insider India website. However, you can change your cookie setting at any time by clicking on our Cookie Policy at any time. You can also see our Privacy Policy.

Close
HomeQuizzoneWhatsappShare Flash Reads
 

Default settings in Microsoft tool exposes 38 million users’ personal data, says report

Aug 25, 2021, 11:06 IST
IANS
BCCL
A default permissions settings in Microsoft Power Apps might have exposed data of 38 million users online, cyber security researchers reported.
Advertisement

According to security research network UpGuard, the types of data included personal information used for Covid-19 contact tracing, vaccination appointments, social security numbers for job applicants, employee IDs, and millions of names and email addresses.

UpGuard notified 47 entities of exposures involving personal information, including governmental bodies like Indiana, Maryland, and New York City, and private companies like American Airlines, J.B. Hunt, and Microsoft, for a total of 38 million records across all portals.

"The number of accounts exposing sensitive information, however, indicates that the risk of this feature -- the likelihood and impact of its misconfiguration -- has not been adequately appreciated," the UpGuard team said in a blog post.

Microsoft Power Apps are a product for making "low code", cloud-hosted business intelligence apps. Power Apps portals are a way to create a public website to "give both internal and external users secure access to your data."

Advertisement

Users can create websites in the Power Apps UI with application capabilities like user authentication, forms for users to enter data, data transformation logic, storage of structured data, and APIs to retrieve that data by other applications.

"Our conversations with the entities we notified suggested the same conclusion: multiple governmental bodies reported performing security reviews of their apps without identifying this issue, presumably because it has never been adequately publicised as a data security concern before," they added.

There is, however, no evidence that the data has been exploited.

On May 24, an UpGuard analyst first discovered that the OData API for a Power Apps portal had anonymously accessible list data including personally identifiable information.

The owner of that application was notified and the data secured.

Advertisement
"That case led to the question of whether there were other portals with the same situation -- the combination of configurations allowing lists to be accessed anonymously via OData feed APIs, and sensitive data collected and stored by the apps," the team noted.

As reported by Wired, Microsoft has now changed the default permissions settings responsible for the exposure.




SEE ALSO
Cadila Healthcare’s ZyCoV-D — This is what makes it different from other COVID-19 vaccines
Paytm IPO: Delhi court asks local police to conclude its investigation in three weeks

You are subscribed to notifications!
Looks like you've blocked notifications!
Next Article