1.1 Million UK National Health Service Staff Records Leaked Due to Microsoft Power Pages Misconfiguration
An excess of one million records of NHS employees — encompassing email addresses, telephone numbers, and residential addresses — were exposed online as a result of misconfiguration of Microsoft Power Pages, a website builder using low-code.
During September, analysts from the software-as-a-service security tool AppOmni identified a substantial business service provider shared among NHS organizations. This provider had inadvertent access to sensitive information due to inadequate permission settings on Power Pages.
The misconfiguration was related to overly permissive access control settings on certain tables and columns within the Power Pages Web API, allowing access to unidentified users or those not yet logged in. The matter was brought to the attention of NHS and rectified subsequently.
Moreover, testing authorized by AppOmni unveiled multiple records from various organizations and governmental bodies that were exposed due to analogous misconfigurations.
The exposed data comprised internal business records, as well as data of registered platform users like consumers, thereby breaching patient confidentiality regulations and exposing enterprises to regulatory liabilities, as regulations such as GDPR mandate rigorous safeguards for personal health details.
EXPLORE: Investigation Detects Misconfiguration Problems at Google, Amazon, and Microsoft Cloud
In an email to TechRepublic, Aaron Costello, head of SaaS security research at AppOmni, mentioned: “These exposures are substantial — Microsoft Power Pages sees over 250 million users monthly, including prominent businesses and governmental entities in sectors like finance, healthcare, automotive, among others.
“AppOmni’s revelation underscores the serious dangers posed by improperly set access controls in SaaS platforms: sensitive data, including personal information, has been vulnerability exposed here.
“It is evident that organizations must prioritize security while managing public-facing platforms and harmonize user-friendliness with security in SaaS platforms — these applications harbor the majority of confidential enterprise data currently, and hackers are eyeing them as potential entry points into corporate networks.”
Frequent Misconfigurations in Power Pages
Within Power Pages, administrators delineate which users can access diverse sections of a platform’s underlying data repository, known as Dataverse in the Power Platform.
One of the primary advantages of using Power Pages over traditional web development is the pre-built role-based access control. However, this ease can lead technical teams towards complacency.
AppOmni identified several main methods resulting in business data exposure:
- Permitting open self-registration: This is the default setting upon site deployment, enabling Anonymous users to register and attain “Authenticated” status which usually grants more permissions. Even if registration pages are not apparent on the platform, users might still register and acquire Authenticated status through related APIs.
- Granting tables with “Global Access” to external users: If Anonymous users possess “Global Access” permissions on a specific table, any individual can view the rows. The same applies if Authenticated users hold this permission and open self-registration is active.
- Omitting column security for sensitive columns: In instances where a table has access controls, offenders might locate columns lacking column-level security, thus allowing unrestricted data viewing. Column security is often not universally applied, especially in tables with broader access configurations. AppOmni attributed this to the intricate setup process or the intention to restrict public access.
- Refraining from substituting sensitive information with masked strings: This offers an alternative to enforcing column-level security without affecting platform functionality.
- Exposing excessive columns via the Power Pages Web API: AppOmni frequently notices companies permitting all columns of a single table to be retrievable via the Web API, exposing more data than necessary to potential unauthorized access if exploited by malicious parties.
Securing Your Power Pages Site
Identify Warning Signals
Microsoft has incorporated various warning signals to alert users when a potentially hazardous configuration is detected, including:
- Banner on Power Platform admin console pages: This notifies that all modifications on a public site will be instantly visible.
- Message on Power Page’s table permissions configuration page: Administrators are informed that if data is visible to the Anonymous role, it implies it can be viewed by anyone.
- Warning icon on Power Page’s table permissions configuration page: This is displayed alongside permissions granting Global Access to Anonymous users.
Inspect Access Controls
Power Pages administrators should minimize extraneous access to external users by scrutinizing site settings, table permissions, and column permissions. AppOmni recommends reassessing the configuration of the following key aspects:
- Site settings: Particularly:
- Webapi/<object>/enabled
- Webapi/<object>/fields
- Authentication/Registration/Enabled
- Authentication/Registration/OpenRegistrationEnabled
- Authentication/Registration/ExternalLoginEnabled
- Authentication/Registration/LocalLoginEnabled
- Authentication/Registration/LocalLoginDeprecated
- Table permissions: Any table set with “Global Access” in the “Access Type” and aligned with external roles.
- Column permissions: Columns from tables accessible to external users without column security enacted and a suitable mask.
- Column Security Profiles: Any column security profiles that involve external roles.
If tweaking these settings would disrupt platform functionality, AppOmni suggests deploying a custom API endpoint to authenticate user-supplied data.
About Author
