Misconfigured web apps exposed millions of US personal records online
Researchers pin blame on generous default permission settings
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Improper default permission setting exposed personally identifiable information (PII) of over 30 million US citizens from across a few hundred portals, according tocybersecurityresearchers.
The UpGuard Research team discovered over a thousand anonymously accessible lists across a few hundred portals that included sensitive details such as an individual’s Covid-19 vaccination status, along with their phone numbers, home address, and social security number (SSN), and more.
The data leaked from improperly configuredPowerAppsportals, which not just allowed access to public data as expected, but also exposed private data without anyone being the wiser.
“The UpGuard Research team can now disclose multiple data leaks resulting fromMicrosoftPowerApps portals configured to allow public access - a new vector of data exposure,” state the researchers in theiranalysis of the leak.
Feature or a misconfiguration?
The type of information that the researchers were able to access varied from one organization to the next. In all, the researchers managed to gawk at data from about four dozen entities, including governmental bodies like Indiana, Maryland, and New York City, and private companies like American Airlines, Ford, JB Hunt, and more.
The researchers believe that the staggering amount of exposure highlights a shortcoming on Microsoft’s part, in that it failed to properly convey the default settings and the behavior of the PowerApps platform.
“Our conversations with the entities we notified suggested the same conclusion: multiple governmental bodies reported performing security reviews of their apps without identifying this issue, presumably because it has never been adequately publicized as adata securityconcern before,” note the researchers.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Microsoft initially dismissed UpGuard’s revelations as it was “determined that this behavior is considered to be by design.”
However, as UpGuard began contacting the affected entities, Microsoft took several steps to help its customers avoid leaking data inadvertently. For instance, the company has now released a tool to check for lists that allow anonymous access and also modified the default table permissions.
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.
A new form of macOS malware is being used by devious North Korean hackers
Scammers are using fake copyright infringement claims to hack businesses
Belkin’s Travel Bag for Vision Pro has pockets and is way cheaper than Apple’s own case
