Massive Data Leakage from PowerApps, Microsoft blames customers
A security company has revealed a dangerous setting in Microsoft PowerApps. Microsoft has fallen back on one of their oldest tricks, blaming the customer. There’s a similar ‘way too open’ option in Word, Excel and PowerPoint.
Power Apps provide ways for organization to make simple apps to access online data without needing complex programming. This is done via the Open Data Protocol (Odata) to make lists for public and in-house web sites.
As reported by The Register, buried deep in the documentation is this warning:
“To secure a list, you must configure Table Permissions for the table for which records are being displayed and also set the Enable Table Permissions Boolean value on the list record to true.”
In other words, the source database is open to the public by default and it’s up to the app developer to secure the connection.
Perhaps understandably, many organizations don’t realize the danger and leave the database open to hackers. That data can be customer or other private information.
Microsoft’s response – blame the customer
Microsoft’s reply to this problem is typical and predictable for anyone accustomed to their ways. They blame the customer. Of course the company doesn’t say that directly, but it’s what they mean with phrases like:
Microsoft has ‘determined that this behavior is considered to be by design’.
“We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs.”
Frankly, that’s not good enough especially in a ‘low code’ product that’s intended for non-professional programmers. At the very least there should be a warning that the settings aren’t fully secure.
As usual, Microsoft has chosen defaults that make the product ‘easy’ and a good sales point, with security considerations pushed aside. Microsoft has always put marketing and sales before privacy and safety, despite all the platitudes otherwise.
Another dangerous default in Microsoft Office
Here’s another example of a default choice in Office that’s perhaps not as secure as it could be. Choose ‘Share’ for Word, Excel or PowerPoint opens a dialog with an open access default “Anyone with the link can edit”.
That means any person who gets access to the link can open and edit the document. If the link ‘escapes’, for example a receivers mailbox is hacked, then the document is more widely available than expected.
The more secure options like Read Only, specific people, password and expiry are all available but not obvious on the initial screen.
Microsoft has chosen that default and the minimal first dialog because that’s uncomplicated and least likely to raise support questions. The data loss risk is less important and Microsoft can always blame the customer.