Microsoft Power Apps data exposure: Prioritizing sensitive data with secure configuration settings

Security misconfigurations are one of the most common gaps hackers look to exploit. One bad configuration setting in a popular cloud platform can have far-reaching consequences, allowing threat actors to access an abundance of valuable, personal information and use it to their advantage.

Over the last 12-18 months, the COVID-19 pandemic has driven the rapid adoption of cloud applications across the world. According to Cloudwards, 94% of all enterprises now use cloud services. Whilst organizations have rushed to adopt cloud platforms, expertise in these platforms has lagged, often resulting in misconfiguration, and leading to many of the cases of data exposure that have been seen.

In a recent incident, around 38 million records were exposed online after a default setting in Microsoft’s Power Apps portal service left them publicly accessible. Personally Identifiable Information (PII), such as Social Security numbers, home addresses and COVID-19 vaccination statuses were visible to anyone who had access to the platform. The incident underscores the importance of secure by default configuration, and that even in low code environments such as Microsoft Power Apps security must still be a consideration for those organizations leveraging the platform.

Organizations relying on cloud services – in this case a low code platform – must be aware of the shared responsibility model; meaning that the customer and cloud provider each take responsibility for some elements of security. Where these lines are drawn varies by cloud provider, as well as by service, and is a critical consideration in leveraging any cloud platform.

Vulnerability versus misconfiguration

This event also presents an interesting case study for security findings. Upguard – who discovered the exposure – agree with Microsoft that this issue was not strictly a software vulnerability. The Microsoft documentation even included a caution highlighting the risks of anonymous public access if settings are not appropriately configured. To some extent this puts the onus on the user of the cloud service to fully understand the consequences of the configuration settings they chose – back to the shared responsibility model.

That said, Microsoft Power Apps has now been updated so that it does not allow anonymous access to data tables by default, and while users of the platform can still choose to change that setting, they are effectively prevented from overlooking a setting that could have far reaching consequences.

Monitoring and the cloud

Even though no customer data has been compromised (that we know of), the discovery highlighted the importance of approaching cloud services with the same level of diligence that you would approach services hosted in-house. Just because it’s in the cloud it doesn’t mean it’s inherently secure.

The threats to the service still need to be modelled and understood. The main cause of concern with this case is that it left vast quantities of personally identifiable items open to access, creating an opportunity for a wide scope of potential attack methods: fraud, account hacking, spear-phishing and blackmail are just some of the further crimes made possible for threat actors by this sort of data being exposed.

There needs to be a greater awareness of the dangers of misconfigurations across the entire playing field or organizations risk facing irreversible repercussions. Security teams do need visibility into all systems, whether on-premise or in the cloud, so they can maintain a robust security posture.

One of the challenges with cloud platforms is that logs are not always accessible to the users of those platforms and, where they are available they can sometimes be difficult to obtain or only available some considerable time after the event of interest. When adopting cloud solutions, particularly if those solutions are hosting sensitive data, organizations should consider how they are to monitor those solutions and if the appropriate level of visibility can be gained.

Attackers are constantly on the lookout for the low hanging fruit – after all why try to compromise the on-premises systems to gain authenticated access, when the valuable data is available anonymously from a cloud platform.

With the breadth of platforms in use today, you simply cannot be an expert in every one of them, but what you can do is stop and think about what the risks may be to the data in your application and consider whether the configuration is appropriate for that dataset. Beyond that, monitoring and review is the safety net for catching any inadvertent misconfigurations before a threat actor does.