Security Week /
UpGuard security researchers have identified tens of Microsoft Power Apps portals that exposed millions of records due to being misconfigured.
Microsoft Power Apps portals allow organizations to create different types of websites – including social engagement application platforms, ecommerce portals, and services and support sites – that can be shared externally or internally.
Access to the portals should be provided in a secure manner, either anonymously or through commercial authentication providers, including Facebook, Google, LinkedIn, or Microsoft.
Misconfigurations, however, may lead to unauthorized access to data, and UpGuard says it has identified a total of 47 such instances. Ranging from airlines to government organizations and Microsoft themselves, these entities exposed to the Internet 38 million records across all portals.
Following the discovery of an incident where personally identifiable information (PII) was being exposed through the OData API for a Power Apps portal, UpGuard launched an investigation to identify additional instances, and discovered that tens of other portals on powerappsportals.us exposed data through the OData APIs.
The 38 million exposed records that UpGuard identified contained various amounts of personally identifiable information, including names, addresses, phone numbers, email addresses, birth dates, vaccination types, COVID-19 testing appointment information, employer IDs, job types, and even Social Security Numbers in some cases.