Microsoft Power Pages Misconfigurations Expose Millions of Sensitive Records

A misconfiguration in Microsoft Power Pages exposed millions of sensitive records due to misconfigured access controls.

Published: Nov 14, 2024

Security – 5

SHARE ARTICLE

Key Takeaways:

  • A misconfiguration in Microsoft Power Pages has exposed millions of sensitive records, affecting data from government entities, healthcare, and other organizations.
  • The vulnerability, identified by SaaS security researchers, stems from excessive data access permissions, weak column-level security, and inadequate data masking practices.
  • Microsoft has implemented backend warnings to alert administrators about potentially unsafe configurations.

Cybersecurity researchers have discovered a new data exposure issue in Microsoft Power Pages, stemming from misconfigured access controls in websites built with the platform. This flaw exposed millions of sensitive business records to unauthorized users, posing a serious security risk for affected organizations.

Microsoft Power Pages is a low-code software as a service (SaaS) platform that allows customers to build, host, and manage business websites. It lets users design and publish externally facing websites using a visual design studio and customizable templates.

In September, Aaron Costello, head of SaaS security research at AppOmni, discovered that a major business service provider for the NHS had unintentionally allowed unauthorized access to sensitive data due to insecure permission settings on Power Pages. The NHS has since resolved this misconfiguration.

However, researchers found that this same misconfiguration also exposed several million additional records from government entities and organizations. These included internal company files, sensitive information, and data from registered site users.

Misconfigured access controls Power Pages
Misconfigured access controls expose PII via Web API (Image Credit: Microsoft)

What are the causes of data exposure?

The report identified four main reasons for the exposure of business data, the first being that Power Pages reveal too many columns to the Web API. “By granting unauthenticated users excessive permissions, anyone may have the ability to extract records from the database using readily-available Power Page APIs,” Costello explained.

Additionally, a Power Pages site allows users to register and become authenticated through associated APIs. External users can also be granted global access for read operations. Moreover, the lack of column-level security for sensitive columns could let hackers view data without restriction. The researchers also observed that users don’t replace sensitive data with masked strings.

Microsoft has added several warnings in the backend of Power Pages and Power Platform Apps to alert admins of potentially dangerous configurations. Admins will see a banner across all Power Platform admin console pages, along with a message and warning icon on the Power Pages’ table permissions configuration page.

SHARE ARTICLE