Microsoft Power Pages Misconfiguration Leads to Data Exposure

Misconfigurations within Microsoft Power Pages, a low-code SaaS web platform, are leading to significant data exposure.

According to a new blog post by AppOmni, by granting excessive access permissions, organizations risk exposing sensitive data, including personally identifiable information (PII), to unauthorized users.

Microsoft Power Pages is designed to simplify website creation and data integration for businesses. Yet, mismanagement of its security controls has left millions of records, such as employee information and internal files, accessible to the public internet.

Key Misconfigurations in Microsoft Power Pages

Power Pages uses a role-based access control (RBAC) model to manage user access levels. However, assigning too many permissions to roles like “Anonymous Users” (unauthenticated visitors) and “Authenticated Users” (logged-in visitors) can expose organizations to unintended data leaks.

Since some businesses allow public registration, even casual users can access these expanded permissions. In one instance, AppOmni said, a service provider for the NHS inadvertently exposed over 1.1 million NHS employees’ data, including home addresses, phone numbers and email addresses.

Key risk factors include:

• Misconfigured table permissions that grant unrestricted access to external users

• The use of open registration, which may inadvertently grant users with internal-level permissions

• Failure to enable column-level security, allowing sensitive information to be visible to unauthorized users

• Lack of masking for sensitive data, which could otherwise obscure PII for external users

“These exposures are significant – Microsoft Power Pages is used by over 250 million users every month, as well as industry-leading organizations and government entities, spanning financial services, healthcare, automotive and more,” explained Aaron Costello, chief of SaaS security research at AppOmni.

“Our discovery highlights the significant risks posed by misconfigured access controls in SaaS applications: Sensitive information, including personal details, has been exposed here.”

Read more on data security risks associated with low-code platforms: Researchers Discover Reply URL Takeover Issue in Azure

Best Practices for Securing Power Pages Deployments

“It’s clear that organizations need to prioritize security when managing external-facing websites, and balance ease of use with security in SaaS platforms,” Costello added. “These are the applications holding the bulk of confidential corporate data today, and attackers are targeting them as a way into enterprise networks.”

Firms using Power Pages are advised to review their site, table and column permissions thoroughly. A layered approach is essential, starting with site-level settings, then addressing table permissions and finally verifying column permissions for sensitive fields.

By using Power Pages’ column security and masking options, organizations can limit exposure and protect sensitive data from unauthorized access. Additionally, Power Pages includes backend warnings about potential risks when setting permissions. Administrators should heed these alerts and adjust settings to ensure sensitive information remains secure.

Image credit: T. Schneider / Shutterstock.com