AppOmni researchers found that a misunderstanding of access controls can lead to PII being taken from these low-code websites.
The post Here’s how misconfigurations in Microsoft Power Pages could lead to data breaches appeared first on CyberScoop.
Microsoft’s Power Pages is a low-code platform that enables users to create data-driven websites with minimal coding requirements or knowledge. It’s used by both the public and private sector, at organizations large and small, to assist in all sorts of scenarios where a customer or a citizen needs data to solve a problem. These pages also may be creating a problem for their respective organizations, in the form of leaking sensitive information, if they are not configured correctly.
Researchers at Software-as-a-Service (SaaS) security company AppOmni discovered exactly how this happens within Power Pages, which has been detailed in research published Thursday.
The researchers found significant amounts of information can be accidentally shared on the public internet due to misconfigurations in access settings on websites built with Microsoft Power Pages. In one such instance found by the company, a large service provider for England’s National Health Service was leaking information of over 1.1 million NHS employees, including email addresses, phone numbers and home addresses.
AppOmni says the misconfigurations happen because people can easily make errors when setting up access controls in Power Pages, as well as using insecure custom code.
Exposures can occur when Power Pages websites allow too many permissions to users who haven’t signed in. The platform’s role-based access control is set up to automatically assign roles to users, which are cataloged as “Anonymous Users” or “Authenticated Users.” When a site is incorrectly configured, “Authenticated Users” can be treated as an internal user, and potentially access sensitive data through the platform’s APIs.
Power Pages also has several layers of security to control users’ access to data — layers labeled as “site,” “table,” “column,” and “record” levels — but these are often improperly set up. At the site level, default settings make it easy for people to register and gain access to data they should not be able to obtain. At the table and record levels, permissions are given to different roles, but mistakes, like giving “Global Access” to roles such as “Anonymous Users,” can let anyone access all data.
Aaron Costello, AppOmni’s chief of SaaS security research, told CyberScoop that Power Pages users must pay better attention to the security parameters within the product, especially given Power Pages’ popularity. Earlier this year, Microsoft said websites built and maintained with Power Pages have over 250 million users every month.
“It’s clear that organizations need to prioritize security when managing external-facing websites, and balance ease of use with security in SaaS platforms,” Costello said. “These are the applications holding the bulk of confidential corporate data today, and attackers are targeting them as a way into enterprise networks.”
The research does emphasize that the issue is the way in which Power Pages sites are deployed, and not an underlying vulnerability in Power Pages. There are warnings in Power Pages and other Power Platform applications that alert users of potentially risky configurations, including a banner on all Power Platform admin pages that indicates if changes on public sites are immediately visible. Additionally, a message on the Power Pages table permissions page highlights the risks of using the “Anonymous” role for table permissions. A warning icon also appears next to any permission that grants “Global Access” to “Anonymous Users.”
A Microsoft spokesperson told CyberScoop that IT admins should watch for those alerts in the Microsoft Power Platform Admin Center.
“We provide strict data access by default, and there are security and governance controls for IT administrators to customize to their organization’s needs,” the spokesperson told CyberScoop.
AppOmni also says organizations using Power Pages should heavily scrutinize their access controls, particularly permissions granted at the user level, to ensure that no sensitive information is publicly exposed. Additionally, admins should ensure correct Web API and authentication settings, check tables with “Global Access” and how they are associated with external roles, and verify that columns accessible to external users have appropriate security and masking.
You can read the full research here.
The post Here’s how misconfigurations in Microsoft Power Pages could lead to data breaches appeared first on CyberScoop.
Source: CyberScoop
Source Link: https://cyberscoop.com/microsoft-power-pages-misconfiguration-appomni/