Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Misconfigured Microsoft Power Apps Portals Exposed Millions of Records

UpGuard security researchers have identified tens of Microsoft Power Apps portals that exposed millions of records due to being misconfigured.

UpGuard security researchers have identified tens of Microsoft Power Apps portals that exposed millions of records due to being misconfigured.

Microsoft Power Apps portals allow organizations to create different types of websites – including social engagement application platforms, ecommerce portals, and services and support sites – that can be shared externally or internally.

Access to the portals should be provided in a secure manner, either anonymously or through commercial authentication providers, including Facebook, Google, LinkedIn, or Microsoft.

Misconfigurations, however, may lead to unauthorized access to data, and UpGuard says it has identified a total of 47 such instances. Ranging from airlines to government organizations and Microsoft themselves, these entities exposed to the Internet 38 million records across all portals.

Following the discovery of an incident where personally identifiable information (PII) was being exposed through the OData API for a Power Apps portal, UpGuard launched an investigation to identify additional instances, and discovered that tens of other portals on exposed data through the OData APIs.

The 38 million exposed records that UpGuard identified contained various amounts of personally identifiable information, including names, addresses, phone numbers, email addresses, birth dates, vaccination types, COVID-19 testing appointment information, employer IDs, job types, and even Social Security Numbers in some cases.

Some of the affected entities include American Airlines (869,290 records), Denton County, TX (1,286,106 records), Ford (104,578 records), J.B. Hunt (962,099 records), Maryland Department of Health (388,512 records), New York City Municipal Transportation Authority and NYC Schools (898,999 records), State of Indiana (1,087,240 records), and Microsoft portals (Global Payroll Services – 332,000 records; Business Tools Support – 45,810 records; Customer Insights Portal – 277,400 records; Mixed Reality – 39,210 records; Azure China – 9,200 records).

The researchers first notified Microsoft of the issue on June 24, which told them about a week later that the reported behavior “is considered to be by design.” Next, UpGuard started notifying the affected parties, most of which secured the exposed data almost immediately.

“Microsoft eventually did take follow up actions. At some point, Microsoft notified government cloud customers of this issue. We did not receive that notification, of course, but could observe its effect in that several lists for portals on that had been public in June were no longer public by the end of July,” UpGuard says.

Microsoft also released a tool for checking Power Apps portals to make sure that no anonymous access is allowed and that permissions are enforced as intended. Overall, the identified issue is not seen as a software vulnerability, but rather as a misconfiguration, yet UpGuard believes that “it is a platform issue that requires code changes to the product, and thus should go in the same workstream as vulnerabilities.”

“This is a great example of how the impact UI design decisions can have on the decisions users make. The anonymous access enabled in Power Apps is a result of two settings that are located in different tabs in a configuration dialog box. If you enable one and skip the other, you allow everyone on the internet to access your table contents. This behavior is by design and documented, but the connection between the settings is not obvious for someone designing the application,” Ilia Sotnikov, VP at Netwrix, said in an emailed comment.

“Power Aps allow [us] to build and quickly launch no code or low code applications. Since this is hosted by Microsoft, this may create a false sense of security for a customer that just puts together the building blocks. Companies still must take time to learn the security features and the access model of the cloud platforms they use. They also should do at least basic threat modelling and security review for the applications they build and launch,” Sotnikov added.

Related: Despite Warnings, Cloud Misconfiguration Problem Remains Disturbing

Related: Survey Shows Reasons for Cloud Misconfigurations are Many and Complex

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...