1.1 Million UK NHS Employee Data Leaked Due to Microsoft Power Pages Misconfig
An extensive collection of over a million records of NHS employees — comprising email IDs, contact numbers, and residential addresses — were inadvertently exposed online as a result of a misconfiguration in Microsoft Power Pages, a low-code website building tool.
In September, a group of researchers associated with the software-as-a-service security solution AppOmni uncovered a major shared business service provider for the NHS that was allowing unauthorized accessibility to sensitive information due to insecure permission settings in Power Pages.
Particularly, the permissions on certain tables and columns within the Power Pages Web API were excessively broad, leading to unintentional access being granted to users designated as “Anonymous” or individuals not logged in. The misconfiguration has since been reported to the NHS and addressed.
Nevertheless, AppOmni’s authorized assessment also exposed numerous other records from various organizations and governmental bodies that were vulnerable due to similar misconfigurations.
The data comprised internal organization files and information, along with the details of registered users on the website. Such data breaches not only infringe on patient confidentiality but also expose businesses to legal risks as regulations like the GDPR require stringent safeguarding of personal health data.
SEE: Research on Misconfiguration Concerns at Google, Amazon, and Microsoft Cloud
Aaron Costello, the lead SaaS security researcher at AppOmni, conveyed to TechRepublic via email: “These exposures bear weight — Microsoft Power Pages is favored by more than 250 million users monthly, including top-tier entities and governmental departments spanning finance, healthcare, automotive, and more.
“AppOmni’s discovery sheds light on the significant threats posed by inaccurately configured access controls in SaaS applications: here, sensitive data and personal details have been laid bare.
“It is evident that entities must prioritize security when administering outward-facing websites and strike a balance between user-friendliness and security in SaaS platforms — these applications hold a lion’s share of confidential business data today, and ill-intentioned actors are honing in on them as an entryway into corporate networks.”
Frequent Misconfigurations in Power Pages
Administrators in Power Pages decide which users can access various elements in a site’s underlying Dataverse, the Power Platform’s data repository layer.
One notable advantage of using Power Pages instead of conventional web development lies in its pre-established role-based access management. However, this convenience can lead technical teams to become less vigilant.
AppOmni isolated the primary ways through which business data was left exposed:
- Enabling unrestricted self-registration: The default deployment setting allows Anonymous individuals to register and become “Authenticated,” a user type usually granted more permissions. Even if the registration pages aren’t publicly visible, users might still enroll and be authenticated through associated APIs.
- Providing tables with “Global Access” for external users: Diffusing “Global Access” permissions to a specific table for Anonymous users permits anyone to view its contents. The same holds true if Authenticated users have such permissions and unrestricted self-registration is active.
- Failure to activate column security for sensitive columns: Despite access controls on the table, malicious actors could find certain columns lacking column-level security, hence allowing unrestricted data visibility. Column security is often absent in a consistent manner, especially in tables where access is broadly dictated. AppOmni outlines this discrepancy could be due to the laborious setup process or the assumption that it was unnecessary for public use.
- Not replacing sensitive information with masked equivalents: This serves as an alternative to applying column-level security without impeding website performance.
- Exposing an excessive number of columns through the Power Pages Web API: AppOmni frequently observes organizations permitting all columns of a single table to be accessible via the Web API, thus exposing more data than necessary to potential breaches if unauthorized entry is obtained by malicious entities.
Securing Your Power Pages Site
Recognize the Potential Red Flags
Microsoft has incorporated several warning signals to alert users to potentially hazardous settings, including:
- Banner notifications on Power Platform admin console pages: These warnings indicate immediate visibility of all alterations on public sites.
- Messages on the table permissions configuration page within Power Pages: These messages notify administrators that data visible to the Anonymous role is accessible by all users.
- Warning icons on the table permissions configuration page inside Power Pages: These icons highlight permissions granting Global Access to Anonymous users.
Conduct Access Control Audits
Power Pages administrators should ideally refrain from providing excessively high levels of access to external users by thoroughly examining site settings, table permissions, and column permissions. AppOmni recommends reassessing the configurations of the following elements:
- Site settings: Notably:
- Webapi/<object>/enabled
- Webapi/<object>/fields
- Authentication/Registration/Enabled
- Authentication/Registration/OpenRegistrationEnabled
- Authentication/Registration/ExternalLoginEnabled
- Authentication/Registration/LocalLoginEnabled
- Authentication/Registration/LocalLoginDeprecated
- Table permissions: Any table set with “Access Type” as “Global Access” and linked with external roles.
- Column permissions: Columns in tables accessible to external users lacking column security and an appropriate mask.
- Column Security Profiles: Security profiles for columns that incorporate external roles.
If altering these settings jeopardizes website functionality, AppOmni suggests developing a custom API endpoint to validate user-supplied data.
About Author
