Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

How to Use Tenable.io WAS to Find and Fix Sensitive Information Exposure in Microsoft Power Apps

Rémy Marot
September 30, 2021 • 6 Min Read
by Rémy Marot 
Blog Home / Research

Researchers identified a configuration issue in Microsoft Power Apps portals that exposed millions of records for nearly 50 organizations. Learn how you can use Tenable.io Web App Scanning to identify this configuration issue and prevent the exposure of sensitive information.

Thanks to Satnam Narang from the Security Response Team for his contributions to this blog post.

Background

On August 23, UpGuard Research published a blog post detailing its discovery of the exposure of 38 million records across 47 entities via Microsoft Power Apps portals. Power Apps portals, as Microsoft describes them, allows both internal and external individuals to securely access Microsoft Dataverse data using portals.

According to UpGuard, the Power Apps portals are configured for public access by default, which means anonymous users could access this data. In their research, Upguard found the exposure of personally identifiable information (PII), including COVID-19 related contact tracing and vaccination appointment details, social security numbers, employee IDs, names and addresses and a variety of other sensitive information.

UpGuard disclosed its findings to Microsoft in June. Microsoft responded that the behavior is “considered to be by design” and UpGuard’s case was closed. However, as recent industry data shows, misconfigurations in cloud environments can increase an organization's risk of being breached.

Two-thirds of cloud breaches were due to misconfigurations

IBM’s 2021 X-Force Cloud Security Threat Landscape Report, which analyzed data sets from Q2 2020 through Q2 2021, found that two-thirds of cloud environment breaches could have been prevented if misconfigurations and policies were properly reviewed and addressed. IBM’s findings were centered around improperly configured APIs and virtual machines, but the overarching theme of misconfigurations is also applicable to Power Apps. However, the problem with the Power Apps exposure is that organizations likely did not realize they were exposing this information when UpGuard identified the exposure.

Analysis

As a low-code platform — an environment that supports development via a graphical user interface instead of hand-coding — Microsoft Power Apps allow users to build and publish web pages rendering data from multiple sources using connectors. Among the different application types offered by the platform, Power Apps portals provide a web view which can be accessed by authenticated or anonymous users. By leveraging the concept of lists, a Power Apps user is able to quickly render a set of records from the data source without the need to write code.

The problem with default table permissions in Power Apps

Power Apps portals rely on web roles and table permissions to define the privileges allowed to the different users on a given list, whether they are authenticated or not. By default, table permissions are not applied to lists and need to be explicitly enabled with an option in the list properties:


Source: Tenable Research, 2021

Usually, lists are included in web pages which have their own permissions settings, preventing the pages from being accessed by unauthorized or anonymous users.

Exposing sensitive information through OData feeds

A feature of Power Apps portals lists allows users to publish the underlying data feed as a RESTful web service through the OData protocol:


Source: Tenable Research, 2021

OData feeds define a specific endpoint on the target application, which exposes OData metadata and the list of feeds available:

Example endpoint: https://myportal.powerappsportals.com/_odata/


Source: Tenable Research, 2021

With the previous default configuration, table permissions were not enforced on the various data collections returned in the OData feed, leading to the data being exposed to any user with a query targeting specific collections like: Example endpoint: https://myportal.powerappsportals.com/_odata/collection


Source: Tenable Research, 2021

Solution

The mitigation of this configuration issue requires enforcing table permissions, especially when the OData feed is enabled.

Power Apps portals management can be achieved by using Power Apps portals Studio or with the Power Apps portal management application.

With Power Apps portals Studio, table permissions are enabled by default when adding a new entity to a page:


Source: Tenable Research, 2021

Browsing a live website with this option enabled and without any explicit permission will display an error:


Source: Tenable Research, 2021

With Power Apps portal management, applications previously required users to enable the table permissions. Now, the option is set by default when creating an entity:


Source: Tenable Research, 2021

When trying to disable the table permissions, a warning is now displayed at the top of the Power Apps management console:


Source: Tenable Research, 2021

On July 15, Microsoft added release notes that include a configuration check for both existing and new portals to detect when the “Enable Table Permissions” is disabled when OData feeds are enabled:


Source: Tenable Research, 2021

Finally, Microsoft added a warning message in the Power Apps portals Studio when one or more entities exists without table permissions. This alert warns users that the permissions will be enforced automatically starting in April 2022:


Source: Tenable Research, 2021

Note that enabling table permissions does not prevent Power Apps administrators from misconfiguring a table if, for example, they set anonymous access to lists containing sensitive data.

Identifying affected systems

Power Apps portals are software-as-a-service (SaaS) web applications hosted in the Microsoft Cloud platform. Tenable.io Web App Scanning offers two plugins to help customers identify applications built on the Power Apps platform and determine whether they are potentially exposing data.

The Power Apps Application Detected plugin is designed to verify if an application hosted on a custom DNS name is a Power Apps portal:


Source: Tenable Research, 2021

Once a Power Apps portal is detected, customers can use the Power Apps OData Feeds Detected plugin. This plugin performs a check on the OData feeds to identify collections that can be publicly accessed and their associated URLs. Web App Scanning users can then browse the list of collections to verify if any sensitive or unexpected data has been exposed.


Source: Tenable Research, 2021

Note that Microsoft also provides the portal checker tool, which can be used in addition to Web App Scanning to allow administrators to run a configuration check on their portals and identify lists that allow for anonymous access:


Source: Tenable Research, 2021

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Rémy Marot

Rémy Marot

Rémy joined Tenable in 2020 as a Senior Research Engineer on the Web Application Scanning Content team. Over the past decade, he led the IT managed services team of a web hosting provider and was responsible for designing and building innovative security services in a Research & Development team. He also contributed to open source security softwares, helping organizations increase their security posture.

Interests outside of work: Rémy enjoys spending time with his family, cooking and traveling the world. Being passionate about offensive security, he enjoys doing ethical hacking in his spare time.

Related Articles

Do You Think You Have No AI Exposures? Think Again

August 6, 2024

As AI usage becomes more prevalent in organizations globally, security teams must get full visibility into these applications. Building a comprehensive inventory of AI applications in your environment is a first step. Read on to learn what we found about AI application-usage in the real world when we analyzed anonymized telemetry data from scans using Tenable’s products.

Rajiv Motwani

Rajiv Motwani

Identifying Web Cache Poisoning and Web Cache Deception: How Tenable Web App Scanning Can Help

March 18, 2024

Web cache poisoning and web cache deception are two related but distinct types of attacks that can have serious consequences for web applications and their users. Learn how these flaws arise, why some common attack paths are so challenging to mitigate and how Tenable Web App Scanning can help.

Joshua Martinelle

Joshua Martinelle

Tenable.io and Tenable.io WAS Achieve FedRAMP Authorization

October 7, 2021

Six reasons why FedRAMP authorization for Tenable.io and Tenable.io Web App Scanning (WAS) is important for our customers and partners. After lengthy and rigorous testing under the U.S. Federal Risk ...

Lindsay Schwartz

Lindsay Schwartz

Active Directory Under Attack: Five Eyes Guidance Targets Crucial Security Gaps

November 21, 2024

A landmark global report from cybersecurity agencies emphasizes 17 attack techniques against Microsoft Active Directory and cautions organizations to step up protections. In the first of our two-part series, we offer five steps you can take today to shore up your AD defenses.

Brinton Taylor

Brinton Taylor

Five Cyber Agencies Sound Alarm About Active Directory Attacks: Beyond the Basics

November 21, 2024

A landmark global report emphasizes 17 attack techniques against Microsoft Active Directory and cautions organizations to step up protections. In the second of our two-part series, we take you beyond the basics to highlight three key areas to focus on.

Brinton Taylor

Brinton Taylor

Volt Typhoon: What State and Local Government Officials Need to Know

November 19, 2024

Increased activity from the state-sponsored threat group Volt Typhoon raises concerns about the cybersecurity of U.S. critical infrastructure. Here’s how you can identify potential exposures and attack paths.

Mark Weatherford

Mark Weatherford

  • Tenable Web Application Scanning
  • Vulnerability Management

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Try for free Buy now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose your subscription option:

Buy Now
Try for free Buy now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose your subscription option:

Buy Now
Try for free Buy now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose your subscription option:

Buy Now
Try for free Buy now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for free Contact sales

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a sales representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable Security Center

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

* Field is required

Request a demo of Tenable OT Security

Get the Operational Technology security you need.

Reduce the risk you don’t.

Request a demo of Tenable Identity Exposure

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

Request a demo of Tenable Cloud Security

Exceptional unified cloud security awaits you!

We’ll show you exactly how Tenable Cloud Security helps you deliver multi-cloud asset discovery, prioritized risk assessments and automated compliance/audit reports.

See
Tenable One
in action

Exposure management for the modern attack surface.

See Tenable Attack Surface Management in action

Know the exposure of every asset on any platform.

Get a demo of Tenable Enclave Security

Please fill out the form with your contact information and a sales representative will contact you shortly to schedule a demo.

Try for free Buy now

Try Tenable Nessus Professional free

Free for 7 days

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
now available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select your license

Buy a multi-year license and save.

Add support and training
Buy Now
Renew an existing license Find a reseller
Try for free Buy now

Try Tenable Nessus Expert free

Free for 7 days.

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select your license

Buy a multi-year license and save more.

Add support and training
Buy Now
Renew an existing license Find a reseller