Apps built with Microsoft Power Apps may leak users’ personal information

Misconfigured applications built with Microsoft Power Apps leave millions of personally identifiable information entries exposed.

How does the information companies collect fall into the wrong hands? Sometimes insiders sell it, and sometimes targeted hacking springs the leak, but most often, personally identifiable information gets out through misconfigured services or programs. Adding to mountains of evidence of just that, researchers from UpGuard found that personally identifiable information from 38 million people had been exposed. The source of the leak is some poorly configured Web applications created with the Microsoft Power Apps platform. Fortunately, malefactors do not seem to have gotten access to the information.

Power Apps misconfiguration

As a tool that helps companies build apps and Web portals without the need for heavy development investments, Microsoft’s Power Apps uses the low-code principle (that is, it does not require writing code as such). User reviews hype the ability to turn any idea into reality without having experience in IT and programming.

That simplicity is the root of the problem. Using Power Apps, people who not only lacked IT experience, but also ignored information security, created tools that — surprise! — weren’t secure. The researchers found 47 companies and government agencies that used Power Apps to create tools that collected personal data but did not keep that data safe.

To summarize a long and rather technical explanation, Power Apps lets users create tools both for sharing data and for collecting data. In both cases the data is stored in tables, and the creator of the app can enable access permissions to them. By default, the permissions were disabled. On the one hand, that let creators enable sharing easily. On the other hand, it essentially made the tables public. That is why the collected information remained available from outside the companies.

How to protect your company’s and clients’ data from leaks

After the researchers reported the leak, Microsoft changed the platform’s default settings. Now, when somebody creates a new project that collects personal data, it will store any information it collects such that outsiders won’t be able to access it. However, apps and Web services created before Microsoft’s update may still be vulnerable. If your company uses Microsoft Power Apps, you should check all configuration options thoroughly to avoid this kind of leak, especially if your applications collect and store personally identifiable information.

However, the problem is actually much broader. Power Apps is far from the only low-code platform people lacking IT expertise use to create services, applications, and websites. These tools, which in many cases companies use for internal tasks only, may go entirely unnoticed by security departments. Meanwhile, they can contain source-code vulnerabilities, errors that occur when integrating with other business processes, or, as in this case, misconfigurations.

Therefore, we recommend companies that use low-code platforms do the following:

  • Carefully check the security and privacy settings of both published and not-yet-published apps;
  • Educate information security departments about the use of such platforms in business processes;
  • Employ external experts (if not internal specialists) for security assessment.
Tips