The personal data of millions of people in various parts of the world was exposed to the public due to a weak security settings of Microsoft Power Apps . It is a platform used to create custom applications in the cloud, in a few hours and without programming knowledge.
According to the cybersecurity company UpGuard, among those affected are several public organizations and private companies that used the Microsoft Power Apps platform for various purposes. In the case of the United States, for example, some institutions used it to grant vaccination appointments against COVID-19.
This resulted in confidential data such as social security numbers, names, phone numbers and email addresses of Americans were exposed online. But the problem also reached the private orbit, affecting companies such as American Airlines and Microsoft itself.
From UpGuard they pointed out to Hypertextual that among the 38 million records there are also those of customers of companies in Europe, Latin America, Oceania, East Asia and South Asia. However, in these cases only “contact content of the CRM type There were no government entities affected outside of the United States either.
What caused the Microsoft Power Apps problem?
Credit: Microsoft
Microsoft Power Apps aims to make it easier for customers to create their own web and mobile applications. In that sense, it offers easy programming interface so that customers can use the collected data according to their needs. For example, manage a shift roster.
The problem arose with the default configuration of the stored data. If these were configured in table mode, they were protected. However, in list mode (which was the default setting) were left without privacy protection. As a result, unauthorized users could have accessed them.
UpGuard immediately reported the problem to Microsoft. After that, the Redmond people reached out to the conclusion that was not a security flaw , but a function n of the application. However, they modified the default settings to avoid future privacy issues.
Hypertextual also contacted Microsoft and offered the following statement. “Our products provide customers with flexibility and privacy features to design scalable solutions for a wide variety of needs. We take security and privacy very seriously, and we encourage our customers to use best practices when configuring products to best suit their privacy needs. “
