Introduction

The launch of Microsoft Power Pages, a low-code platform designed for creating data-driven websites, has inadvertently introduced significant data exposure risks. These vulnerabilities primarily stem from misconfigurations in access controls, leading to unauthorized access to sensitive information [2] [3] [9]. This issue is exacerbated by the platform’s reliance on Microsoft’s Dataverse for data storage, which [3] [4] [5] [6] [7] [8] [9] [10] [11], if not properly configured, can result in excessive permissions and data exposure.

Description

Misconfigurations in Microsoft Power Pages [3] [5] [6] [7] [9], a low-code platform launched in 2022 for creating data-driven websites, have led to significant data exposure risks due to ineffective implementation of access controls. Many websites built on this platform fail to apply the role-based access controls (RBAC) properly, resulting in unauthorized access to sensitive information [2] [3] [10]. Power Pages utilizes Microsoft’s Dataverse for data storage [8] [10], which allows for various levels of access control [10], including site-level [8] [10], table-level [8] [10] [11], and column-level settings [8] [10]. However, many administrators do not configure these controls correctly, leading to excessive permissions that allow users, including “Anonymous” users [3] [7] [9], to view all data instead of just their own [10].

A notable incident involving a shared industry service provider for the NHS highlighted these vulnerabilities, as inadequate permission settings resulted in the exposure of personal information for over 1.1 million NHS employees, including home addresses [2] [3] [4] [5] [6] [7] [8] [9] [11], phone numbers [2] [3] [5] [6] [7] [8] [9], and email addresses [2] [3] [4] [5] [6] [7] [8] [9] [11]. Researchers from AppOmni identified that overly broad permissions on certain tables and columns in the Power Pages Web API allowed unauthorized access to sensitive information, particularly for users not logged in. Research indicates that between 5 million to 7 million records have been exposed across various Power Pages websites due to these vulnerabilities [8], often stemming from misunderstandings of access controls and insecure custom code implementations [1] [9].

Default settings at the site level can allow unauthorized registration and access [4], while mistakes at the table and record levels [4], such as granting “Global Access” to “Anonymous Users,” can expose all data [4]. Open self-registration features [7], enabled by default [11], allow casual users to create accounts and escalate their permissions, thereby increasing access to sensitive data even if the registration pages are not visible. The incident with the NHS not only impacted that organization but also revealed similar vulnerabilities in other entities, emphasizing the need for improved access controls to prevent unauthorized data exposure [2].

The vulnerabilities arise from several factors [11], including excessive exposure of columns to the Web API and a lack of column-level security implementation, which amplifies the risk of unauthorized access [11]. If both external registration and login are enabled without proper role definitions [11], external users can gain unrestricted read access to all data rows [1] [11], regardless of ownership [11]. Furthermore, the absence of obfuscation for sensitive columns during testing means that all web API-enabled columns are visible to external users if table-level permissions are misconfigured [11]. Key misconfigurations include the failure to replace sensitive data with masked strings, which could maintain site functionality [7], and the lack of column security for sensitive columns [7] [11], permitting unrestricted access to certain data [3] [7] [9].

To mitigate these risks [3] [4] [6] [7], organizations are advised to prioritize security in managing external-facing websites [4]. Power Pages administrators should audit site settings [7], table permissions [2] [3] [4] [5] [6] [7] [9] [11], and column permissions [3] [6] [7], specifically reviewing configurations related to Web API and authentication/registration, as well as ensuring that column security profiles are in place for tables accessible to external users. Implementing stricter access permission controls from the outset [2], customizing roles and permissions beyond default settings [2], and applying masks to personally identifiable information (PII) for external users is essential if column security profiles are not utilized. Continuous monitoring of identity controls within SaaS applications is critical to preventing data exposures [1] [9], identifying vulnerabilities [2] [9], and detecting suspicious activity [9]. Regular audits and security assessments are essential to align security protocols with legal requirements such as GDPR [2], helping to mitigate compliance risks associated with data breaches [2].

Microsoft has acknowledged these concerns and implemented warnings in Power Pages and Power Platform applications to alert administrators about potentially risky configurations [11]. This includes a banner on the admin console and notifications regarding the use of the ‘anonymous role’ in table permissions [11]. Despite these alerts, many organizations overlook them [8] [10], potentially due to the user demographic of Power Pages, which attracts less technical users [8]. The ease of use of low-code platforms can create a false sense of security [10], further exacerbating the risk of data exposure [10]. A proactive approach to maintaining SaaS security is essential in today’s evolving threat landscape [1], as integrating security considerations with user convenience is vital for protecting confidential data from cyber threats [2].

Conclusion

The vulnerabilities in Microsoft Power Pages highlight the critical need for robust access control configurations to prevent unauthorized data exposure. Organizations must prioritize security by conducting regular audits, customizing roles and permissions [2], and implementing stringent access controls. Microsoft’s efforts to alert administrators about risky configurations are a step in the right direction, but continuous vigilance and proactive security measures are essential to safeguard sensitive information in an increasingly complex digital landscape.

References

[1] https://appomni.com/ao-labs/microsoft-power-pages-data-exposure-reviewed/
[2] https://www.telegramevening.com/nhs-data-exposure-microsoft-power-pages-misconfigurations/
[3] https://www.roosho.com/1-1-million-uk-nhs-employee-records-exposed/
[4] https://cyberscoop.com/microsoft-power-pages-misconfiguration-appomni/
[5] https://www.infosecurity-magazine.com/news/microsoft-power-pages/
[6] https://wol.com/1-1-million-uk-nhs-employee-records-exposed/
[7] https://www.techrepublic.com/article/uk-nhs-employee-records-exposed/
[8] https://www.darkreading.com/cybersecurity-operations/microsoft-power-pages-millions-private-records
[9] https://securityboulevard.com/2024/11/microsoft-power-pages-data-exposure-reviewed/
[10] https://aiandtechs.com/microsoft-energy-pages-leak-thousands-and-thousands-of-non-public-data/
[11] https://www.itpro.com/security/misconfigurations-in-microsoft-power-pages-could-expose-millions-of-sensitive-records