Default Permission on Microsoft Power Apps Exposed Data

Overview

The Microsoft Power Platform is a platform for developing business intelligence applications.

Power Apps is a tool for low-code web app development. Some apps created with this platform before June 2021 used insecure settings by default which allowed anonymous data access.

Impact

If the web app uses lists to display data in a portal, this could be accessed without a login.

Vulnerability Detection

Microsoft has released a tool to check access rights for Power Apps Portals

Affected Products

Microsoft Power Apps using the OData API to retrieve data.

Containment, Mitigations & Remediations

Microsoft advises: “To secure a list, you must configure Table Permissions for the table for which records are being displayed and also select the checkbox for Enable Table Permissions setting”

Threat Landscape

This vulnerability has not been detected as being actively exploited. However, with the raising of awareness and the ability to anonymise connections across the Internet, it is likely that probing and access to open resources is likely to increase.

Mitre Methodologies

T1190 – Exploit Public-Facing Application

Further Information

By Design: How Default Permissions on Microsoft Power Apps Exposed Millions (UpGuard)
Microsoft Power Apps – About Lists
Analyze and resolve Portal Checker diagnostics results (Microsoft)