Get in Touch
Please get in touch using the form below.
Default Permission on Microsoft Power Apps Exposed Data
Overview
The Microsoft Power Platform is a platform for developing business intelligence applications.
Power Apps is a tool for low-code web app development. Some apps created with this platform before June 2021 used insecure settings by default which allowed anonymous data access.
Impact
If the web app uses lists to display data in a portal, this could be accessed without a login.
Vulnerability Detection
Microsoft has released a tool to check access rights for Power Apps Portals
Affected Products
Microsoft Power Apps using the OData API to retrieve data.
Containment, Mitigations & Remediations
Microsoft advises: “To secure a list, you must configure Table Permissions for the table for which records are being displayed and also select the checkbox for Enable Table Permissions setting”
Threat Landscape
This vulnerability has not been detected as being actively exploited. However, with the raising of awareness and the ability to anonymise connections across the Internet, it is likely that probing and access to open resources is likely to increase.
Mitre Methodologies
T1190 – Exploit Public-Facing Application
Further Information
By Design: How Default Permissions on Microsoft Power Apps Exposed Millions (UpGuard)
Microsoft Power Apps – About Lists
Analyze and resolve Portal Checker diagnostics results (Microsoft)