38 million pieces of personal information leaked from Microsoft tools



From the 'Power Apps Portal ', a tool provided by Microsoft that allows all users inside and outside the organization to operate data in Microsoft Dataverse using the portal, vaccination records of the new coronavirus vaccine, social security numbers, etc. It has been revealed that 38 million associated personal information leaked data.

By Design: How Default Permissions on Microsoft Power Apps Exposed Millions | UpGuard
https://www.upguard.com/breaches/power-apps

Microsoft Spills 38 Million Sensitive Data Records Via Careless Power App Configs | Threatpost
https://threatpost.com/microsoft-38-million-sensitive-records-power-app/168885/

The Power Apps portal is a tool that is officially described as 'an app service connector suite data platform that provides a rapid development environment for building custom apps that meet your business needs.' We use it to create applications that share data locally or with the cloud.

UpGuard , a security platform, discovered that confidential information was leaked from the management portal site of such a Power Apps portal. According to the company's research team, the confidential data leaked this time is 'new corona virus vaccination reservation status' 'social security number of job seekers' 'employee ID' 'combination of millions of names and email addresses' It has been reported that a total of 38 million pieces of confidential information have been leaked from 47 companies that use the Power Apps portal.

Among the data leaked this time, the ones that include the most detailed contents are those of American Airlines, Ford, Indiana Health Department, and public schools in New York City. UpGuard reveals some details of the data leaks as follows:

American Airlines:
Two personal information lists including name, job title, phone number, and email address were leaked. The first contains 398,890 personal information, and the second contains 470,400 personal information.

Denton County, Texas:
Information on vaccination, date and time of vaccination reservation, employee ID, name, email address, telephone number, birth data, and other personal information for 632,171 cases were leaked. In addition, personal information for 409,91 cases, which is a set of information on names and vaccinations, and personal information for 253,844 cases, which is a set of names and e-mail addresses, are also leaked.

JB Hunt Transport Services:
The personal information of 905,228 cases, which is a set of customer's name, e-mail address, address, and telephone number, was leaked. Of these, more than 250,000 personal information includes social security numbers.

Microsoft's own payroll service:
332,000 personal information leaked from Microsoft employees and contractors, including names, phone numbers and email addresses.



According to UpGuard, this data breach is related to how the Power Apps portal's open data protocol (OData) and API are compatible. For example, some data processed within the Power Apps portal needs to be public, and other related datasets need to be private. Specifically, in the case of a new coronavirus vaccination reservation site, the vaccination location and available reservation time should be treated as public, and the personal information of the vaccinated people should be treated as private.

However, UpGuard has discovered that some of the sensitive information that should be treated privately on the Power Apps portal is stored in an accessible state. UpGuard points out that this is a specification issue in the Power Apps portal that 'even if the data is treated as private, if the OData feed is enabled, the data can be freely accessed.'

In fact, many Power Apps portal users misconfigured OData to make sensitive information accessible to everyone, leading to this massive data breach.



On the other hand, Microsoft does not consider this data leakage to be due to a system vulnerability, but rather it is a configuration problem. To solve the problem, Microsoft has released a tool to check if the data on the Power Apps portal is leaked, and plans to make a specification change to apply the data permission setting by default. is.

in Software,   Security, Posted by logu_ii