Default settings in Microsoft tool exposes 38 mn users' data: Cyber security researchers

A default permissions settings in Microsoft Power Apps might have exposed data of 38 million users online cyber security researchers reportedAccording to security research network UpGuard the types of data included personal information used for Covid19 contact tracing vaccination appointments social security numbers for job applicants employee IDs and millions of names and email addressesUpGuard notified 47 entities of exposures involving personal information including governmental bodies like Indiana Maryland and New York City and private companies like American Airlines JB Hunt and Microsoft for a total of 38 million records across all portalsThe number of accounts exposing sensitive information however indicates that the risk of this feature the likelihood and impact of its misconfiguration has not been adequately appreciated the UpGuard team said in a blog postAlso read Microsoft quietly rolls out Windows Server 2002 ahead of Windows 11Microsoft Power Apps are a product for making low code cloudhosted business intelligence apps Power Apps portals are a way to create a public website to give both internal and external users secure access to your dataUsers can create websites in the Power Apps UI with application capabilities like user authentication forms for users to enter data data transformation logic storage of structured data and APIs to retrieve that data by other applicationsOur conversations with the entities we notified suggested the same conclusion multiple governmental bodies reported performing security reviews of their apps without identifying this issue presumably because it has never been adequately publicised as a data security concern before they addedThere is however no evidence that the data has been exploitedOn May 24 an UpGuard analyst first discovered that the OData API for a Power Apps portal had anonymously accessible list data including personally identifiable informationThe owner of that application was notified and the data securedThat case led to the question of whether there were other portals with the same situation the combination of configurations allowing lists to be accessed anonymously via OData feed APIs and sensitive data collected and stored by the apps the team notedAs reported by Wired Microsoft has now changed the default permissions settings responsible for the exposureThis story has been sourced from a third party syndicated feed agencies Midday accepts no responsibility or liability for its dependability trustworthiness reliabilitsy and data of the text Midday managementmiddaycom reserves the sole right to alter delete or remove without notice the content in its absolute discretion for any reason whatsoever