Security Flaw in Microsoft Power Pages Exposes Sensitive Data, Warns AppOmni
A significant security vulnerability has been uncovered in Microsoft Power Pages, a widely used low-code development platform with over 250 million users monthly. AppOmni, a company specializing in SaaS security, has reported that misconfigurations within Power Pages could potentially expose millions of sensitive records across various sectors, including healthcare, finance, and automotive. Affected organizations include prominent entities such as the UK’s National Health Service (NHS), which reportedly disclosed the personal information of over 1.1 million employees, including email addresses, phone numbers, and residential addresses.
Researchers attribute these data breaches primarily to improperly configured access controls in Power Pages, which are used for creating applications integrated with Dataverse, like web portals. The customizable nature of the platform can inadvertently render sensitive data accessible to unauthorized users. This vulnerability illustrates the critical importance of maintaining stringent security measures when developing external-facing applications.
Power Pages employs a multi-layered access control mechanism that encompasses site-level, table-level, and column-level permissions. However, when organizations fail to configure these settings correctly, they may inadvertently expose sensitive data to the public internet. For example, organizations can inadvertently broaden their attack surface by exposing excessive columns to the Web API. Misconfiguring the Web API settings can grant access to all data within a table, rendering sensitive information vulnerable.
Furthermore, enabling features such as open registration and external authentication can inadvertently allow unauthorized users entry to confidential data. By default, upon deployment, Power Pages permits self-registration and login, even if the pages themselves are not directly visible on the platform. Users authenticated through APIs are provided more permissions than anonymous users, increasing the risk of data exposure.
A lack of granular control can lead to serious consequences. Allowing global access to anonymous users can result in unauthorized access to sensitive information. Even when table-level permissions are accurately set, failing to restrict access to particular columns can lead to data leaks. The absence of data masking techniques further exacerbates this issue, allowing personally identifiable information (PII) to remain unprotected and exposed.
As highlighted by AppOmni’s chief of SaaS security research, Aaron Costello, the potential for significant exposure is alarming, considering the massive user base of Microsoft Power Pages. Organizations spanning various sectors need to prioritize robust security measures when managing external-facing websites. With sensitive corporate data primarily residing in SaaS applications, the risk of cyberattacks targeting these platforms is ever-increasing.
The ramifications of such misconfigurations can be dire, as evidenced by the NHS data leak. Organizations face not only reputational damage but also potential legal repercussions following such breaches. The incident underscores the necessity for vigilance in access control management within SaaS applications, particularly when handling sensitive information.
To mitigate these risks, organizations must implement rigorous security protocols tailored for SaaS platforms. Regular audits of access controls, limitations on sensitive data access, robust authentication and authorization mechanisms, and staying informed of emerging security threats can collectively diminish the likelihood of data breaches, thereby safeguarding sensitive information from unauthorized access.
In the broader context of cyber threat frameworks such as the MITRE ATT&CK Matrix, this situation raises concerns regarding initial access and privilege escalation tactics that adversaries may exploit through mismanaged access controls. Understanding these tactics is essential for organizations aiming to enhance their security posture and protect against future cyber threats.
