38 million people have had their personal data exposed online, and the default permission settings in a Microsoft app-building tool is to blame. Names, email addresses, phone numbers, social security numbers and even COVID-19 vaccination appointments were made public online by 47 different companies and government agencies through Microsoft’s Power Apps platform. The issues have been fixed by Microsoft, and there is no evidence of the personal information being exploited.

This vulnerability was discovered in May by security research team UpGuard. In a recent blog post by the security research company, as well as a report from Wired, it is explained that organizations using the Microsoft platform created improper data permissions.

“We found one of these [apps] that was misconfigured to expose data and we thought, we’ve never heard of this, is this a one-off thing or is this a systemic issue?” Greg Pollock, UpGuard Vice President of cyber research told Wired. “Because of the way the Power Apps portals product works, it’s very easy to quickly do a survey. And we discovered there are tons of these exposed. It was wild.”

Microsoft Power Apps is a platform that allows companies to build apps and websites without having formal coding experience. Organizations implicated in the breach – including Ford, American Airlines, J.B. Hunt, and state agencies in Maryland, New York City and Indiana – were using this data with different intentions, including efforts to organize vaccination efforts. Power Apps has tools that quickly organize data, and also leaves the data publicly accessible. This is the vulnerability UpGuard discovered.

This particular breach is interesting, as it is both a software vulnerability and a poor UI design choice. UpGuard claims that Microsoft’s stance on this vulnerability is that is falls in the lap of the user for not properly configuring their permissions in the app. Since the vulnerability, Microsoft has changed the default permission setting that caused the exposure.

Story via The Verge