November 16, 2024 – A recent report from AppOmni highlights significant security vulnerabilities in websites built with Microsoft Power Pages, revealing that many organizations inadvertently overprovision database privileges, resulting in the exposure of sensitive information.
The findings indicate that a lack of understanding regarding access control configurations and default settings contributes to the issue. Researchers discovered that insecure custom code implementations and excessive database access permissions have led to the potential exposure of personally identifiable information (PII) and sensitive internal records.
Aaron Costello, AppOmniās chief of SaaS security research, noted that during authorized testing, several million sensitive records were uncovered, indicating that the overall risk could be much larger across all Power Pages websites. In one alarming instance, a large service provider for the NHS was found to be leaking data for over 1.1 million employees, including email addresses and home addresses.
Microsoft Power Pages is a low-code SaaS platform designed to facilitate the creation of business websites. It includes role-based access control (RBAC) and a built-in database through Microsoft Dataverse. However, misconfigurations often arise when administrators assign global access to tables for both authenticated and anonymous roles, particularly in setups allowing public registrations.
Costello emphasized that many organizations mistakenly believe that column-level access controls can sufficiently protect sensitive data. However, this feature is rarely implemented due to its complex setup process, leading to widespread data exposure risks. The report suggests that organizations should review their Power Pages access controls meticulously, focusing on site settings, table permissions, and column security.
To mitigate these security gaps, Costello advises organizations to audit their configurations and implement stricter access controls, especially for sensitive data. The report also includes a technical proof of concept demonstrating the misconfigurations that can lead to data exposure.
The AppOmni report serves as a critical reminder for organizations using Microsoft Power Pages to reassess their security practices to prevent potential data breaches and protect sensitive information.
