Source URL: https://www.theregister.com/2024/11/15/microsoft_power_pages_misconfigurations/
Source: The Register
Title: Microsoft Power Pages misconfigurations exposing sensitive data
Feedly Summary: NHS supplier that leaked employee info fell victim to fiddly access controls that can leave databases dangling online
Private businesses and public-sector organizations are unwittingly exposing millions of people’s sensitive information to the public internet because they misconfigure Microsoft’s Power Pages website creation problem.…
AI Summary and Description: Yes
**Summary:** The text reveals serious security vulnerabilities within Microsoft’s Power Pages, as highlighted by Aaron Costello from AppOmni. Misconfigurations in access controls have exposed sensitive personal and organizational data to the public internet, affecting numerous public and private entities. This issue underscores the critical need for robust security measures in external-facing SaaS applications, especially regarding permission management and access control structures.
**Detailed Description:**
The analysis discusses the security oversights related to Microsoft’s Power Pages, a low-code website creation platform used extensively by both public and private organizations. Here are the key points of concern outlined in the text:
– **Data Exposure Risks:**
– Organizations inadvertently expose sensitive information, including personal identifiable information (PII), due to misconfigured access controls.
– A cited example is a significant data leak involving over 1.1 million NHS employees in the UK, revealing email addresses, phone numbers, and home addresses.
– **Scale of the Problem:**
– Reports indicate that millions of records have been found exposed in various sectors, including technology, health, and finance.
– Power Pages reportedly has over 250 million monthly users, amplifying the potential impact of these security vulnerabilities.
– **Misconfigured Access Controls:**
– The platform’s role-based access control system has preset roles like “authenticated users” that can lead to excessive permissions being granted.
– Many organizations mistakenly treat authenticated users as internal users, which can lead to over-permissive access settings.
– **Complex Security Architecture:**
– Power Pages employs a multi-layer approach to access controls, where mistakes can cascade into significant vulnerabilities.
– Several layers of control include site-level access, table permissions dictating data operations (CRUD), and column access control using data masking.
– **Common Misconfiguration Patterns:**
– Typical issues include:
– Granting global access to tables accessible via the Web API.
– Enabling public user registration without proper authentication checks.
– Failing to implement column security leading to sensitive data exposure.
– **Calls for Enhanced Security Practices:**
– Experts like Costello stress the need for organizations to prioritize security in the management of SaaS applications.
– Effective mitigation strategies include limiting access rights for external users and employing stringent column-level security measures.
– **Role of Security Tools:**
– Tools like Burp Suite can exploit these vulnerabilities by enabling users to intercept and modify requests, exposing security weaknesses.
– **Recommendations for Organizations:**
– Organizations are encouraged to actively manage and verify access controls to external-facing websites.
– Regular security audits and a shift in how user roles are perceived (especially concerning external users) are vital for maintaining data security.
In conclusion, the insights from this text highlight the pressing need for enhanced security awareness and stringent policy implementations when dealing with accessible web applications in an increasingly digital landscape. Security and compliance professionals must take immediate action to review and strengthen access control governance across applications like Power Pages to prevent data breaches and safeguard sensitive information.