More than a thousand web apps mistakenly exposed 38 million records on the open internet, including data from a number of Covid-19 contact tracing platforms, vaccination sign-ups, job application portals, and employee databases. The data included a range of sensitive information, from people’s phone numbers and home addresses to social security numbers and Covid-19 vaccination status.
The incident affected major companies and organizations, including American Airlines, Ford, the transportation and logistics company J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools. And while the data exposures have since been addressed, they show how one bad configuration setting in a popular platform can have far-reaching consequences.
The exposed data was all stored in Microsoft's Power Apps portal service, a development platform that makes it easy to create web or mobile apps for external use. If you need to spin up a vaccine appointment sign-up site quickly during, say, a pandemic, Power Apps portals can generate both the public-facing site and the data management backend.
Beginning in May, researchers from the security firm Upguard began investigating a large number of Power Apps portals that publicly exposed data that should have been private—including in some Power Apps that Microsoft made for its own purposes. None of the data is known to have been compromised, but the finding is significant still, as it reveals an oversight in the design of Power Apps portals that has since been fixed.
In addition to managing internal databases and offering a foundation to develop apps, the Power Apps platform also provides ready-made application programming interfaces to interact with that data. But the Upguard researchers realized that when enabling these APIs, the platform defaulted to making the corresponding data publicly accessible. Enabling privacy settings was a manual process. As a result, many customers misconfigured their apps by leaving the insecure default.
“We found one of these that was misconfigured to expose data and we thought, we’ve never heard of this, is this a one-off thing or is this a systemic issue?” says Greg Pollock, UpGuard's vice president of cyber research. “Because of the way the Power Apps portals product works, it’s very easy to quickly do a survey. And we discovered there are tons of these exposed. It was wild.”
The types of information the researchers stumbled across was wide-ranging. The J.B. Hunt exposure was job applicant data that included social security numbers. And Microsoft itself exposed a number of databases in its own Power Apps portals, including an old platform called “Global Payroll Services,” two "Business Tools Support" portals, and a “Customer Insights” portal.
The information was limited in many ways. The fact that the state of Indiana, for example, had a Power Apps portal exposure doesn't mean that all the data the state holds was exposed. Only a subset of contact-tracing data used in the state's Power Apps portal was involved.
Misconfiguration of cloud-based databases has been a serious issue over the years, exposing huge quantities of data to inappropriate access or theft. Major cloud companies like Amazon Web Services, Google Cloud Platform, and Microsoft Azure have all taken steps to store customers' data privately by default from the start and flag potential misconfigurations, but the industry didn't prioritize the issue until fairly recently.
After years of studying cloud misconfigurations and data exposures, the Upguard researchers were surprised to discover those issues in a platform they'd never seen before. Upguard attempted to survey the exposures and notify as many affected organizations as possible. The researchers couldn't get to every entity, though, because there were too many, so they also disclosed the findings to Microsoft. At the beginning of August, the Microsoft announced that Power Apps portals will now default to storing API data and other information privately. The company also released a tool customers can use to check their portal settings. Microsoft did not respond to a request from WIRED for comment.
While the individual organizations caught up in the situation could have theoretically found the issue themselves, UpGuard's Pollock emphasizes that it is incumbent upon cloud providers to offer secure and private defaults. Otherwise it's inevitable that many users will unintentionally expose data.
It's a lesson that the whole industry has slowly, sometimes painfully, had to learn.
“Secure default settings matter,” says Kenn White, director of the Open Crypto Audit Project. “When a pattern emerges in web-facing systems built using a particular technology that continue to be misconfigured, something is very wrong. If developers from diverse industries and technical backgrounds continue to make the same missteps on a platform, the spotlight should be squarely on the builder of that platform.”
Between Microsoft's fixes and UpGuard's own notifications, Pollock says that the vast majority of the exposed portals, and all of the most sensitive ones, are now private.
“With other things we’ve worked on, it's public knowledge that cloud buckets can be misconfigured, so it's not incumbent on us to help secure all of them,” he says. “But no one had ever cleaned these up before, so we felt we had an ethical duty to secure at least the most sensitive ones before being able to talk about the systemic issues.”