Security firm UpGuard has blamed the default permissions settings in an app-building tool from Microsoft, called Power Apps, for exposing the data of 38 million users online. According to UpGuard, user records stored on the Microsoft service, including private information, were mistakenly left exposed. The Power Apps tool allows companies in the creation of websites and mobile apps to interact with the public. According to UpGuard, the service’s default software configuration setting meant that the data of the affected organisations was left without protection till it was fixed recently.
This data includes names, addresses, financial information and Covid-19 vaccination statuses. However, fortunately while the data was exposed there are no signs of any compromise before the leak was resolved.
Who are the affected organisations
Some 47 organizations and US government entities are said to have been affected by this data breach. The names include American Airlines, Ford, JB Hunt and public agencies such as the Maryland Department of Health and New York City’s public transit system.
How did the expose happen
UpGuard’s vice president of cyber research Greg Pollock told Wired, which first reported the data expose, that in researchers from the firm started investigating a large number of Power Apps portals that publicly exposed data that should have been private, including in some Power Apps that Microsoft made for its own purposes, in May this year. “We found one of these that was misconfigured to expose data and we thought, we’ve never heard of this, is this a one-off thing or is this a systemic issue?” he said. “Because of the way the Power Apps portals product works, it’s very easy to quickly do a survey. And we discovered there are tons of these exposed. It was wild,” he added. They then disclosed the findings to Microsoft.
How Microsoft resolved this
Microsoft said that it let customers know when potential security risks were uncovered to allow them to fix the problems. “We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs,” a spokesperson said. The company announced that Power Apps portals will now default to storing API data and other information privately. It has also released a tool that allows customers to check their portal settings.
On its part, Microsoft mantains that this was not a vulnerability as the apps were configured as per the users’ permissions.
Stay connected with us on social media platform for instant update click here to join our Twitter, & Facebook
We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.
Denial of responsibility! NewsAzi is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.
