This serious problem was first discovered in May by UpGuard’s security research team. In a post on the UpGuard blog and a wire report, the company explains how companies that use the Power app developed applications with inappropriate data permissions.
“We found one of these applications incorrectly configured to expose data. We have never heard of it. Is it an isolated one or is it a legitimate problem?” Greg Pollock, Vice President, Upcard, Cyber Research, said, “Because of the way the Power Apps portal product works, it’s very easy to search quickly, and in the same survey we found tons of them.”
Power Apps allows companies to easily build their apps and websites without official coding experience. Companies involved in the breach, including Ford, American Airlines, JP Hunt and government agencies in Maryland, New York and Indiana, used the site to collect data for a variety of purposes, including organizing vaccination efforts.
Power Apps provides tools for quick comparison of the type of data required in these projects, but naturally makes this information accessible to the public.
The mechanism of this ‘violation’ is interesting because it blurs the line between software vulnerability and the wrong choice of user interface design.
Upcard claims that Microsoft does not consider this to be a vulnerability, citing users’ incorrect configuration of their application permissions. As far as we can tell Microsoft has changed despite all of its default permissions settings responsible for this revelation.