Microsoft makes OData APIs privacy-preserving by default after revelations

UPDATED More than 1,000 web applications have collectively leaked millions of records containing sensitive personal data because of misconfigurations in Microsoft Power Apps, a cybersecurity firm has revealed.

Among other data, 38 million publicly viewable records involving Covid-19 contact tracing information, social security numbers, and names, phone numbers, and email addresses, according to a write-up published by UpGuard yesterday (August 23).

UpGuard says it alerted 47 organizations that they had inadvertently exposed sensitive personal data online, including Ford, American Airlines, NYC Schools, transportation and logistics company J.B. Hunt, and – as reported by The Daily Swig – the Indiana Department of Health.


YOU MIGHT ALSO LIKE US healthcare org sends data breach warning to 1.4m patients following ransomware attack


The infosec outfit later discovered that some government bodies had even failed to detect the privacy blunders during security reviews of their web applications.

Even Microsoft misconfigured its own internal Power Apps portals, with a collection of 332,000 email addresses and employee IDs used for the company’s global payroll services exposed as a result, the most egregious example discovered by UpGuard.

Public by default

Power Apps is a ‘low-code’ tool used to build web applications through which customers, employees, or other groups of citizens can submit and access data.

The source of the misconfigurations stemmed from the fact that OData (Open Data Protocol) APIs used for retrieving data from Power Apps lists for display on portals were not privacy-protecting by default.

Soon-to-be deprecated documentation for Power Apps instructs developers that, if they enable the OData feed, they must also enable ‘table permissions’ in order to make the data private.

If they don’t, according to UpGuard, “anonymous users can access list data freely”.

In response to the findings, Microsoft is enabling table permissions by default. In addition, Redmond has released a Portal Checker tool for detecting lists that allow anonymous access.

Constructive criticisms

UpGuard applauded these changes but also offered some constructive criticisms.

After notifying Microsoft of its findings on June 24 and liaising further with its security team, Upguard said that Microsoft then declared the case closed on June 29 having “determined that this behavior is considered to be by design”.

Microsoft only later took remedial actions after being appraised of the most egregious data exposures, said Upguard.


Catch up on the latest data breach news


“While we understand (and agree with) Microsoft’s position that the issue here is not strictly a software vulnerability, it is a platform issue that requires code changes to the product, and thus should go in the same workstream as vulnerabilities,” added the infosec firm.

In response, a Microsoft spokesperson told The Daily Swig that “only a small subset of customers” misconfigured their portals as described by UpGuard “and we worked closely with those customers to ensure they were using the privacy settings consistent with their needs”.

They also said customers “are notified about public feed availability when discovered”, and pointed users to Microsoft guidance on securing lists and OData feeds.

“Our primary portal designer, Design Studio, uses strong privacy settings by default,” added the spokesperson. “We are in the process of ensuring alternative designer tools default to similar strong settings.”

They added: “Our products provide customers flexibility and privacy features to design scalable solutions that meet a wide variety of needs. We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs.”

‘Designated privacy contact’

UpGuard also recommended that Microsoft and fellow software-as-a-service (SaaS) operators “improve end user visibility of access logs”, which are “crucial to executing incident response plans”.

Organizations more generally should have a “designated privacy contact on an easily searchable web page”, added Upguard, which said it struggled to reach an appropriate employee who could remediate exposed data in some of the cases it identified.

“Further, it must be an email address rather than a form,” said the firm. “Researchers sometimes need evidence of their exact message to affected entities in order to refute baseless smears, and email messages provide a useful record for those cases.”


This article was updated on August 24 with comments from Microsoft.


RELATED Whistleblowing security researchers deny ‘inappropriate access’ to Indiana Covid-19 survey data