32 with 25 posters participating
More than a thousand web apps mistakenly exposed 38 million records on the open Internet, including data from a number of COVID-19 contact-tracing platforms, vaccination sign-ups, job application portals, and employee databases. The data included a range of sensitive information, from people’s phone numbers and home addresses to Social Security numbers and COVID-19 vaccination status.
The incident affected major companies and organizations, including American Airlines, Ford, the transportation and logistics company J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools. And while the data exposures have since been addressed, they show how one bad configuration setting in a popular platform can have far-reaching consequences.
The exposed data was all stored in Microsoft’s Power Apps portal service, a development platform that makes it easy to create web or mobile apps for external use. If you need to spin up a vaccine appointment sign-up site quickly during, say, a pandemic, Power Apps portals can generate both the public-facing site and the data management backend.
Beginning in May, researchers from the security firm UpGuard began investigating a large number of Power Apps portals that publicly exposed data that should have been private—including in some Power Apps that Microsoft made for its own purposes. None of the data is known to have been compromised, but the finding is significant still, as it reveals an oversight in the design of Power Apps portals that has since been fixed.
serious issue over the years, exposing huge quantities of data to inappropriate access or theft. Major cloud companies like Amazon Web Services, Google Cloud Platform, and Microsoft Azure have all taken steps to store customers’ data privately by default from the start and flag potential misconfigurations, but the industry didn’t prioritize the issue until fairly recently.
announced that Power Apps portals will now default to storing API data and other information privately. The company also released a tool customers can use to check their portal settings. Microsoft did not respond to a request from WIRED for comment.
While the individual organizations caught up in the situation could have theoretically found the issue themselves, UpGuard’s Pollock emphasizes that it is incumbent upon cloud providers to offer secure and private defaults. Otherwise it’s inevitable that many users will unintentionally expose data.
It’s a lesson that the whole industry has slowly, sometimes painfully, had to learn.
“Secure default settings matter,” says Kenn White, director of the Open Crypto Audit Project. “When a pattern emerges in web-facing systems built using a particular technology that continue to be misconfigured, something is very wrong. If developers from diverse industries and technical backgrounds continue to make the same missteps on a platform, the spotlight should be squarely on the builder of that platform.”
Between Microsoft’s fixes and UpGuard’s own notifications, Pollock says that the vast majority of the exposed portals, and all of the most sensitive ones, are now private.
“With other things we’ve worked on, it’s public knowledge that cloud buckets can be misconfigured, so it’s not incumbent on us to help secure all of them,” he says. “But no one had ever cleaned these up before, so we felt we had an ethical duty to secure at least the most sensitive ones before being able to talk about the systemic issues.”
This story originally appeared on wired.com.