If you’re using Microsoft Power Pages to build websites, there’s an important issue you need to know about. Recently, it was discovered that Power Pages could be exposing millions of private records due to misconfigured security settings.
Here’s why it’s a problem you should be aware of if you’re using Power Pages.
What Is Microsoft Power Pages?
Microsoft Power Pages is a platform designed to help you build websites without needing to write a lot of code. Released in 2022, it grew out of something called PowerApps Portals, which was already helping businesses create websites quickly and easily. Power Pages is part of Microsoft’s suite of “low-code” drag-and-drop tools, which means it makes website creation accessible to people who aren’t necessarily developers but still want to create professional websites.
Power Pages are meant to be accessed by people outside a company—like customer portals, event registration sites, or resources for employees and retailers. The platform is used across many industries, including healthcare, education, finance, and government. When Microsoft first launched it, there were more than 250 million people already using websites built with Power Pages every month.
The Security Flaw
The platform uses a cloud-based database called Dataverse to store all the information for websites. Developers have several access controls at their disposal. These controls help define who can see and edit the data on a site, and they come in three main levels: site-level, table-level, and column-level.
The simplest one, the site-level settings, are the settings that control whether a user needs to log in or register on the site before they can access any data. This is the first line of defense, but it’s only a basic step.
Next, there are table-level controls. These controls allow site admins to decide who can do what with the data. For example, an admin might allow some users to only view certain data, while others might have permission to edit or delete it. It’s a bit more granular, but still not the most detailed protection.
The most detailed, or granular, controls are applied at the Dataverse column level. This is where things like “masking” come into play. So, if you’re storing Social Security numbers, you could choose to hide the first five digits to protect people’s privacy.
However, there’s a massive problem that has been discovered by experts like Aaron Costello, who leads research at AppOmni. It turns out that many websites built with Power Pages aren’t using those security controls properly—or sometimes, not at all. This means that sensitive data, like personal information or company details, can be exposed to anyone who knows where to look. And that’s a big issue. Websites that were meant to be private or restricted are now open to anyone who can find them.
How Misconfigured Power Pages Can Expose Your Data
Costello has found that it’s “very, very trivial” to access exposed data. Sometimes, sites even allow anonymous users to read data.
Some sites let anyone register and authenticate themselves without any real verification, which weakens the security even further. So, while a site might seem to have protections in place, like requiring login credentials to access certain data, these safeguards can be undermined if the site allows anyone to register or doesn’t use the advanced security features correctly.
Even though Costello only looked at websites hosted by organizations that were willing to hear about security issues, he still found that 5 million to 7 million records were exposed. In his findings, he cited that a large shared business service provider accidentally leaked the personal details of 1.1 million employees from the UK’s National Health Service (NHS). The data included phone numbers, email addresses, and home addresses.
Why This Is An Issue You Should Be Aware Of
Costello points out that this issue isn’t really about Power Pages itself—it’s about how people are using it, or more specifically, how they might be misunderstanding the security features it offers.
One reason for this is that Power Pages, like many low- and no-code platforms, is designed to be user-friendly. While that’s a great feature for making website creation accessible, it can lead to problems when it comes to security.
If you’re someone who isn’t technically inclined, you might be more focused on just dragging and dropping buttons or forms to get your website looking how you want it. But, if you don’t understand how access controls work, you might not take the time to set them up properly. And that’s where things can go wrong.
The ease of designing a website on these platforms can sometimes make people feel too comfortable. It can create a false sense of security, where you think everything is good just because the website looks fine and works well. But designing the website might not be the hard part—ensuring that only the right people can access sensitive data is where the real challenge lies.
So, if you’re using a low-code platform, take the time to learn about access controls and other security measures. It might seem like extra work, but keeping your data and the data of anyone using your site safe is beneficial in the long run.
FAQ
When Should I Use Power Pages?
Microsoft Power Pages are perfect for creating professional websites without coding, collecting data via forms or surveys, automating responses, designing marketing landing pages, or building microsites for events or campaigns. It’s an ideal tool for businesses or organizations looking to simplify website creation and engagement.
How Did The Data Leak Happen?
According to reports, the data leak occurred due to misconfigurations in the way organizations were using Microsoft Power Pages. Specifically, some users of the platform had left their databases unsecured or publicly accessible. This could be due to a lack of knowledge about proper security practices or simply a lack of attention to detail when setting up the platform.
What Should I Do If My Information Was Exposed In The Microsoft Power Pages Leak?
If you suspect you’ve been affected by the Microsoft Power Pages leak, check data breach sites to see if your information was exposed. If your information was exposed, change your passwords for any accounts that used the leaked password, and enable multi-factor authentication (MFA) if possible. Be on the lookout for phishing emails or other social engineering attempts to con you into revealing your information. With expertise in encryption, access controls, and threat detection, 2Secure ensures your data remains safe from Cyberattacks, unauthorized access, and breaches, allowing you to focus on your business with peace of mind.
