How to Use Tenable.io WAS to Find and Fix Sensitive Information Exposure in Microsoft Power Apps

Researchers identified a configuration issue in Microsoft Power Apps portals that exposed millions of records for nearly 50 organizations. Learn how you can use Tenable.io Web App Scanning to identify this configuration issue and prevent the exposure of sensitive information.

Thanks to Satnam Narang from the Security Response Team for his contributions to this blog post.

Background

On August 23, UpGuard Research published a blog post detailing its discovery of the exposure of 38 million records across 47 entities via Microsoft Power Apps portals. Power Apps portals, as Microsoft describes them, allows both internal and external individuals to securely access Microsoft Dataverse data using portals.

According to UpGuard, the Power Apps portals are configured for public access by default, which means anonymous users could access this data. In their research, Upguard found the exposure of personally identifiable information (PII), including COVID-19 related contact tracing and vaccination appointment details, social security numbers, employee IDs, names and addresses and a variety of other sensitive information.

UpGuard disclosed its findings to Microsoft in June. Microsoft responded that the behavior is “considered to be by design” and UpGuard’s case was closed. However, as recent industry data shows, misconfigurations in cloud environments can increase an organization's risk of being breached.

Two-thirds of cloud breaches were due to misconfigurations

IBM’s 2021 X-Force Cloud Security Threat Landscape Report, which analyzed data sets from Q2 2020 through Q2 2021, found that two-thirds of cloud environment breaches could have been prevented if misconfigurations and policies were properly reviewed and addressed. IBM’s findings were centered around improperly configured APIs and virtual machines, but the overarching theme of misconfigurations is also applicable to Power Apps. However, the problem with the Power Apps exposure is that organizations likely did not realize they were exposing this information when UpGuard identified the exposure.

Analysis

As a low-code platform — an environment that supports development via a graphical user interface instead of hand-coding — Microsoft Power Apps allow users to build and publish web pages rendering data from multiple sources using connectors. Among the different application types offered by the platform, Power Apps portals provide a web view which can be accessed by authenticated or anonymous users. By leveraging the concept of lists, a Power Apps user is able to quickly render a set of records from the data source without the need to write code.

The problem with default table permissions in Power Apps

Power Apps portals rely on web roles and table permissions to define the privileges allowed to the different users on a given list, whether they are authenticated or not. By default, table permissions are not applied to lists and need to be explicitly enabled with an option in the list properties:

Source: Tenable Research, 2021

Usually, lists are included in web pages which have their own permissions settings, preventing the pages from being accessed by unauthorized or anonymous users.

Exposing sensitive information through OData feeds

A feature of Power Apps portals lists allows users to publish the underlying data feed as a RESTful web service through the OData protocol:

Source: Tenable Research, 2021

OData feeds define a specific endpoint on the target application, which exposes OData metadata and the list of feeds available:

Example endpoint: https://myportal.powerappsportals.com/_odata/

Source: Tenable Research, 2021

With the previous default configuration, table permissions were not enforced on the various data collections returned in the OData feed, leading to the data being exposed to any user with a query targeting specific collections like: Example endpoint: https://myportal.powerappsportals.com/_odata/collection

Source: Tenable Research, 2021

Solution

The mitigation of this configuration issue requires enforcing table permissions, especially when the OData feed is enabled.

Power Apps portals management can be achieved by using Power Apps portals Studio or with the Power Apps portal management application.

With Power Apps portals Studio, table permissions are enabled by default when adding a new entity to a page:

Source: Tenable Research, 2021

Browsing a live website with this option enabled and without any explicit permission will display an error:

Source: Tenable Research, 2021

With Power Apps portal management, applications previously required users to enable the table permissions. Now, the option is set by default when creating an entity:

Source: Tenable Research, 2021

When trying to disable the table permissions, a warning is now displayed at the top of the Power Apps management console:

Source: Tenable Research, 2021

On July 15, Microsoft added release notes that include a configuration check for both existing and new portals to detect when the “Enable Table Permissions” is disabled when OData feeds are enabled:

Source: Tenable Research, 2021

Finally, Microsoft added a warning message in the Power Apps portals Studio when one or more entities exists without table permissions. This alert warns users that the permissions will be enforced automatically starting in April 2022:

Source: Tenable Research, 2021

Note that enabling table permissions does not prevent Power Apps administrators from misconfiguring a table if, for example, they set anonymous access to lists containing sensitive data.

Identifying affected systems

Power Apps portals are software-as-a-service (SaaS) web applications hosted in the Microsoft Cloud platform. Tenable.io Web App Scanning offers two plugins to help customers identify applications built on the Power Apps platform and determine whether they are potentially exposing data.

The Power Apps Application Detected plugin is designed to verify if an application hosted on a custom DNS name is a Power Apps portal:

Source: Tenable Research, 2021

Once a Power Apps portal is detected, customers can use the Power Apps OData Feeds Detected plugin. This plugin performs a check on the OData feeds to identify collections that can be publicly accessed and their associated URLs. Web App Scanning users can then browse the list of collections to verify if any sensitive or unexpected data has been exposed.

Source: Tenable Research, 2021

Note that Microsoft also provides the portal checker tool, which can be used in addition to Web App Scanning to allow administrators to run a configuration check on their portals and identify lists that allow for anonymous access:

Source: Tenable Research, 2021

Get more information

• UpGuard Blog Post about Microsoft Power Apps Data Exposure
• IBM X-Force Cloud Security Threat Landscape Report for Q2 2020 through Q2 2021

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.