Microsoft’s Power Apps portal service is designed to make the development of web or mobile apps easier. Unfortunately, due to an issue with the default security setting, 38 million users’ data was publicly available when it shouldn’t have been.
Essentially, the Microsoft Power Apps platform defaulted to making data publicly accessible instead of keeping the data private by default, as discovered by Upguard and reported by Wired. Unfortunately, this meant that anyone looking to quickly get a web app up and running with these APIs would need to manually enable security, rather than the other way around.
“The UpGuard Research team can now disclose multiple data leaks resulting from Microsoft Power Apps portals configured to allow public access – a new vector of data exposure,” Upguard said in a blog post.