Microsoft Power Pages Leak Millions of Private Records

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft Power Pages Leak Millions of Private Records


Less-experienced users of Microsofts website building platform may not understand all the implications of the access controls in its low- or no-code environment.



Untold millions of sensitive records and personal data are exposed on the open Web right now, thanks to missing or misconfigured access controls in websites built with Microsoft Power Pages.
Power Pages, born in 2022 from PowerApps Portals, is Microsofts low-code website building platform. It is commonly used to design externally facing sites, such as portals for employees and retailers, or event registration or management sites. Back when it was released to the general public, Microsoft
bragged
that it already served more than 100 million monthly active website users, in industries as diverse as high tech and healthcare, education, finance, manufacturing, and government.
Alongside its suite of easy, drag-and-drop tools and features, Power Pages comes fitted with role-based access controls, which developers can use to define the data any given user can access. But as Aaron Costello, chief of software-as-a-service (SaaS) security research at AppOmni, recently discovered, many sites simply arent implementing these controls correctly, if at all.
The result: Vast swaths of sensitive information, from sites around the Web, are
available right now
to anyone who cares to look for it.
Power Pages sites use Microsofts cloud-based relational database, Dataverse, to store structured data. To protect that data, developers can call upon a variety of access controls.
First and most obvious are site-level settings, which define whether and how users need to authenticate and register accounts on a site.
The next tier down is table-level controls. With these, site administrators can define which kinds of users can perform what actions on what data.
The most granular of Power Pages access controls apply at the level of Dataverse columns. One notable tool Power Pages offers at this level is masking, where site admins can obfuscate certain categories of data, like the first five digits of Social Security numbers listed in a given column.
The problem is that admins arent always making use of these three rungs of access controls, if any at all. As a result, accessing the data on their sites is very, very trivial, Costello says. Once you understand [whats going on], its just a matter of going to these URLs.
Typically what happens is that instead of granting someone the ability to view their own data, theyve actually granted them the ability to view all data. As a result, excessive amounts of information — often sensitive — is exposed to each user, he explains.
Some sites grant even anonymous users global access to read data from tables, for example, and not one website Costello probed in his research implemented any sort of column-level security. Other sites restrict certain data to authenticated users, but undermine that protection by allowing anyone from the Web to register and authenticate themselves.
Costello only probed websites hosted by organizations with cybersecurity disclosure policies — those which might be more amenable to hearing about their lacking security postures. Even with that limitation, he ultimately discovered 5 million to 7 million exposed records from a wide array of Power Pages websites.
One large business service provider, for example, leaked personal information belonging to 1.1 million employees of the UKs National Health Service (NHS). The data included employees telephone numbers, email addresses, home addresses, and more.
As Costello is quick to point out, In previous research, I discussed the exact same kind of issue in other popular SaaS platforms, such as Salesforce,
ServiceNow
, and
NetSuite
. And those are all platforms that have different use cases. I wouldnt say that this is by any means a unique problem to Power Pages. What this comes down to isnt the product itself, but more so a misunderstanding of its access controls.
When it comes to warning users about landmines, Power Pages does quite well. When you do misconfigure data to be accessible by anyone, you get warning banners popping up on your page in a variety of different places, Costello adds. So Microsoft really does their best to make organizations aware of what theyre doing is dangerous. However, organizations are choosing to ignore the warning signs.
Besides negligence, the frequency of Power Pages misconfigurations might theoretically be explained by the demographics of its audience. By their nature, low- and no-code platforms are more attractive to less technical users, who may be less well-versed in matters of cybersecurity.
If youre someone who is not technical, and youre just dragging and dropping buttons and forms to design a page, you may not be the type of person who has an understanding of what access controls are even necessary, Costello posits. Or, perhaps, the ease of designing a low- or no-code site might ease the more careful, analytical parts of ones brain. Low-code platforms do typically lend a false sense of security, he says.
Dark Reading has reached out to Microsoft for comment on this story.
Dont miss the upcoming free 
Dark Reading Virtual Event
, Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors, Nov. 14 at 11 a.m. ET. 
Dont miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia.
Register now!

Last News

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Power Pages Leak Millions of Private Records