A Microsoft Power Apps API vulnerability led to more than a thousand web apps accidentally exposing 38 million records online. Since the APIs were defaulted to make data publicly accessible, organizations had to manually enable their privacy settings. Among the companies affected are major players like American Airlines.
Microsoft’s Power Apps portal service is a development platform designed to make it easy to create web or mobile apps for external use. Despite coming from a reputable company, it remains that the misconfiguration of cloud-based databases stands as serious issue with many incidences being reported over the past few years (as reported by Wired).
As a result of this customization requirement, customers misconfigured their apps by leaving the insecure default. The exposed records included data from various COVID-19 contact tracing platforms, vaccination sign-ups, job application portals, and employee databases, such as phone numbers, home addresses, Social Security numbers and an individual’s vaccination status.
Looking into matters for Digital Journal is Nathanael Coffing, co-founder and CSO of Cloudentity, in case it’s helpful for your article.
According to Coffing the issues was avoidable had greater thought been given to the way that the technology was set up. He notes: “In this scenario, the application programming interfaces (APIs) on Microsoft Power Apps were lacking authentication and authorization which made data from these applications publicly available, so that anyone actively searching for a web app containing users’ information could have easily accessed personal data such as COVID-19 tracing forms, vaccination sign-ups and employee databases.”
There are lessons to be learned from the incident says Coffing , and this is notwithstanding the optimal efforts to correct things.
Coffing says: “While the flaws discovered in the platform have been patched, it’s still evident that organizations have a long way to go in terms of proper API security. To prevent misconfigurations and similar vulnerabilities from occurring, APIs must be securely operated within Automated Identity, Authorization, Consent and governance guardrails to safeguard sensitive data.”
Coffing adds the further recommendation: “To stay ahead of cybercriminals, this necessary level of security requires organizations to implement context-based, granular authorization for APIs, along with a Zero Trust API Authorization approach. Only then can organizations ensure all internal, customer and partner data that is stored and collected by their APIs is completely secure.”