Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Low-Code, High Risk: Millions of Records Exposed via Misconfigured Microsoft Power Pages

Security researcher investigated Microsoft Power Pages installations and found several with misconfigurations allowing unintentional access to confidential data.

Researchers have discovered multiple misconfigured implementations of Microsoft Power Pages, and suspect the problem may be widespread.

Power Pages is a low code tool that enables easy generation of web portals, typically fronting Microsoft’s Dataverse relational database. It is widely used by government entities, educational institutions, and private organizations around the world – sometimes to allow public interaction with the organization, and sometimes to provide remote access to data for employees.

Aaron Costello, chief of SaaS security research at AppOmni, investigated a small number of installations and rapidly found several with misconfigurations allowing unintentional access to confidential data. He found around 7 million exposed records in about half a dozen implementations. For example, he notes in his analysis, “A large, shared business service provider for the NHS was leaking the information of over 1.1 million NHS employees, with large portions of the data including email addresses, telephone numbers, and even home addresses of the employees.”

The problem is purely a configuration issue, and not a Microsoft issue. In fact, the MS product displays numerous banner warnings when it notes potential configuration concerns. What Microsoft cannot do is ensure that its users respond to the warnings. 

The real problem might be the dilemma facing all software providers – making a product that is easy to use and attractive to purchase without being easy to misuse. Power Pages provides out-of-the-box role based access control, automatic compatibility with Dataverse, and drag-and-drop pre-built code components. Modern technology can make building portals relatively easy, but security and maintenance remain complex. This can create a mismatch between implementation and maintenance, leading to either initial or emerging misconfigurations beyond the competence of the company concerned.

The need for custom code is reduced, but not eliminated. The misconfigurations and data exposures “are occurring due to a misunderstanding of access controls within Power Pages, and insecure custom code implementations,” notes a report. “By granting unauthenticated users’ excessive permissions, anyone may have the ability to extract records from the database using readily available Power Page APIs.”

It is potentially this mismatch between the ease of low code build and the complexity of access control that is the root of the misconfigurations. “It’s very, very easy for an organization to say, ‘Okay, well, I want all internal employees to have access to each other’s email addresses when they log in’ – and in doing so, it’s easy to accidentally expose their home addresses and phone numbers in the process of that,” Costello told SecurityWeek.

This problem is then exacerbated by the still common siloed relationship between development and security teams – there remains friction between the two teams over who should actually own this issue.

Advertisement. Scroll to continue reading.

Costello believes that Power Pages misconfigurations may be very widespread, particularly within the UK and European public sector. “The public sector is under a lot of pressure to get things up and running as quickly as possible. If citizens or employees need a service, the sector tries to push that as fast as possible – and it’s very easy to accidentally expose data when you’re rushing.” But the same argument will apply to all government entities and private companies anywhere in the world. “When you rush things, it typically doesn’t end too well,” he added.

Since the problems are not down to Microsoft code, but the users’ use of that code, AppOmni has not reported its findings directly to Microsoft because there is nothing for Microsoft to fix. The firm has however, reported its findings to all the affected companies it has discovered – and all the discovered misconfigurations have now been fixed.

But this doesn’t solve the ongoing misconfiguration issue. The problem is likely to continue, since modern low code technology enables low expertise users to develop complex solutions. Pentesting can find misconfigurations but does not solve the issue: what is correct today might be misconfigured tomorrow through continuous evolution. If the basic cause is modern technology, so must be the solution. AppOmni recommends continuous monitoring with a system able to detect such misconfigurations.

The bottom line to Costello’s investigations is, however, very simple: it is easy and common to misconfigure Power Page web portals.

Related: Cloud Misconfigurations Expose 110,000 Domains to Extortion in Widespread Campaign

Related: OWASP Data Breach Caused by Server Misconfiguration

Related: Misconfigured Firebase Instances Expose 125 Million User Records

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.