November 15, 2024 at 01:39AM
Misconfigured Microsoft Power Pages websites are exposing sensitive data of millions, including personal identifiable information (PII), due to lax access controls. Aaron Costello of AppOmni highlights significant leaks, such as one affecting 1.1 million NHS employees. Organizations must enhance security measures for external-facing sites to prevent data breaches.
**Meeting Takeaways:**
1. **Data Exposure Risk**: Private and public-sector organizations are unintentionally exposing sensitive information due to misconfigurations in Microsoft’s Power Pages.
2. **Discovery by AppOmni**: Aaron Costello, chief of SaaS security research at AppOmni, identified significant data leaks, including personal identifiable information (PII) and internal files, in September.
3. **Example Case**: A major leak involved over 1.1 million NHS employees’ information, including email addresses and home addresses, which has since been resolved.
4. **Widespread Issue**: Costello noted several million records of sensitive data are exposed, affecting various sectors including technology, health, and finance.
5. **Security Importance**: Organizations must prioritize security settings for external-facing websites, balancing usability with security to protect corporate data.
6. **Power Pages Overview**: Power Pages is a low-code platform allowing organizations to create websites with preconfigured role-based access controls, posing risks for mismanagement.
7. **Role Misconfiguration**: The “authenticated user” role can mistakenly grant excessive permissions to external users, leading organizations to overlook security risks.
8. **Access Control Layers**: Power Pages features a multi-layered security structure, where overly permissive table access controls are a common vulnerability.
9. **Data Leaks**: Costello identified key misconfigurations such as:
– Excessive column exposure to the Web API.
– Open registration allowing elevated access for external users.
– Granting global access to anonymous users.
– Not implementing column-level security.
10. **Lack of Security Implementation**: Many organizations do not set up column-level security due to its complexity, leading to potential data exposure.
11. **Use of Tools for Exploitation**: Tools like Burp Suite can be exploited to identify and access sensitive data through misconfigured settings.
12. **Microsoft Notifications**: While Microsoft alerts users to risky configurations, addressing excessive access levels is crucial for total mitigation of vulnerabilities.
13. **Request for Comment**: Microsoft had not responded to inquiries regarding the issue at the time of publication.