Get in Touch
Default Permission on Microsoft Power Apps Exposed Data
The Microsoft Power Platform is a platform for developing business intelligence applications.
Power Apps is a tool for low-code web app development. Some apps created with this platform before June 2021 used insecure settings by default which allowed anonymous data access.
If the web app uses lists to display data in a portal, this could be accessed without a login.
Microsoft has released a tool to check access rights for Power Apps Portals
Microsoft Power Apps using the OData API to retrieve data.
Containment, Mitigations & Remediations
Microsoft advises: “To secure a list, you must configure Table Permissions for the table for which records are being displayed and also select the checkbox for Enable Table Permissions setting”
This vulnerability has not been detected as being actively exploited. However, with the raising of awareness and the ability to anonymise connections across the Internet, it is likely that probing and access to open resources is likely to increase.
T1190 – Exploit Public-Facing Application
By Design: How Default Permissions on Microsoft Power Apps Exposed Millions (UpGuard)
Microsoft Power Apps – About Lists
Analyze and resolve Portal Checker diagnostics results (Microsoft)