The situation was similar for two portals related to Business Tools Support, three Mixed Reality portals, and an Azure China portal operated by 21Vianet. The Global Payroll Services Portal, used for handling payroll questions until being deprecated last year, had 332,000 exposed contacts, with their Microsoft email, full name, phone number, employee ID, and other data fields. Barnes's statement," said UpGuard.įollowing its initial disclosure to Microsoft, UpGuard found several of Microsoft's own Power Apps portal sites were exposing data. "During five years of sending data breach notifications, UpGuard has never approached Indiana or any other company notified of a breach for business, and there is no merit to Mr. UpGuard in its post disputed Barnes' insinuation and challenged the Indiana Department of Health to release the agency's recording of the conference call in which UpGuard discussed its findings with state officials. "The company that accessed the data is one that intentionally looks for software vulnerabilities, then reaches out to seek business," said Barnes. UpGuard's findings were not universally welcomed: Acknowledging last week that "data from the state’s COVID-19 online contact tracing survey was improperly accessed," Tracy Barnes, chief information officer for the State of Indiana, suggested the data exposure followed from UpGuard profiteering. The company also tweaked its documentation page that previously presented advice in purple Note boxes by adding a pink Caution warning: "Use caution when enabling OData feeds without table permissions for sensitive information." How dare you point out our flaws! Microsoft nonetheless has taken steps to lower the security bar to a level more suitable to low-code apps by changing Power Apps portals to enable table permissions by default rather than assuming the user will opt-in to security. We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs." In an email to The Register, a Microsoft spokesperson offered a variation on that theme: "Our products provide customers flexibility and privacy features to design scalable solutions that meet a wide variety of needs. "We mentioned that these instances were examples of a broader pattern, with a significant number of Power Apps portals configured to allow anonymous access to lists and exposing PII as a result." "Among the examples of sensitive data exposed via OData APIs were three Power Apps portals used by American governmental entities to track COVID-19 tracing or vaccination and a portal with job applicant data including Social Security Numbers," UpGuard said in a blog post. On June 24, UpGuard reported its findings to Microsoft. Sueball over breach of more than 5 million payment cards at Dixons Carphone hit for sixīut as UpGuard's researchers found, many organizations didn't do so and that made their Power Apps portal lists accessible to anyone.Cloud load balancer snafu leads to 3D printer user printing on a stranger's kit.Microsoft responds to PrintNightmare by making life that little bit harder for admins.Un-carrier? Definitely Unsecure: T-Mobile US admits 48m customers' details stolen after downplaying reports.A list is essentially a query made to a specific database table, combined with additional parameters and attributes.Īs Microsoft explains in its documentation, "To secure a list, you must configure Table Permissions for the table for which records are being displayed and also set the Enable Table Permissions Boolean value on the list record to true." The API uses Power Apps lists, a way to render a list of database records. These portal websites fetch data from Power Apps via Open Data Protocol (OData) APIs.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |