Microsoft made a major personal data leak by not checking permissions in the base settings of its Power Apps service. Because of this, 38 million records of confidential information have leaked to the Network, including information from applications for tracing contacts with infected with coronavirus. Anyone could view not only the addresses and phone numbers of people, but also their insurance numbers and even the availability of vaccinations against COVID-19. At the same time, the corporation refused to admit error or negligence.
Microsoft Power Apps platform is designed to simplify the creation of business applications. Among other things, the service provides ready-made application programming interfaces (APIs), they are integrated with the internal data of user organizations. UpGuard found that when using these APIs, the platform did not check permissions by default – as a result, many customers left confidential information from their applications in the public domain.
The leak affected many large companies and organizations, including American Airlines, Ford, a large US transportation company JB Hunt, the Maryland Department of Health, the Department of Urban Transportation and New York schools. Experts from UpGuard reached out to Microsoft and pointed out the vulnerability. However, the corporation refused to acknowledge the problem and sent the “security guards” to read the documentation.
Failing to get the desired response from Microsoft, UpGuard employees began sending messages to companies and government agencies about the specifics of settings in Power Apps. After that, clients began to manually close access to their data. In early August, Microsoft itself announced that now all internal information of users of Power Apps portals will be private by default. Also, the IT giant added a pink highlighted warning to the documentation about the insecurity of disabling this option.
In July, it became known that Microsoft paid $ 13.6 million to cybersecurity researchers over the year as a reward for vulnerabilities found. More than 340 specialists from 58 countries received the money. The average payout for the program was $ 10,000, with the largest award being $ 200,000. In just a year, Microsoft received more than 1,200 vulnerability reports.
Photo: Pixabay, Pixabay License
Let's reveal an important secret: all the most interesting is in our telegram.
Read also:
Microsoft has decided to hike prices for Russians “after several years of stability”
Microsoft again complained about the attacks of Russian hackers
Russian hackers accused of creating a virus to bypass subscriptions to paid services
Russia faces the deepest demographic hole in history. Who is to blame and what to do
“Pushkin Map”. Young Russians can get money for entertainment just like that: how it works
