Over a million NHS employee records — including email addresses, phone numbers, and home addresses — were exposed online due to a misconfiguration of the low-code website builder Microsoft Power Pages.

In September, researchers with the software-as-a-service security platform AppOmni identified a large shared business service provider for the NHS that was allowing unauthorised access to sensitive data through insecure permission settings on Power Pages.

Specifically, the permissions on some tables and columns in Power Pages Web API were too broad, inadvertently granting access to “Anonymous” users or those who aren’t logged in. The misconfiguration has since been disclosed to the NHS and resolved.

However, AppOmni’s authorised testing also uncovered several million other records belonging to organisations and government entities which were exposed because of the same misconfigurations.

Data included internal company files and information, as well as the information of registered site users, like customers. Such an exposure not only violates patient privacy but also opens businesses up to compliance risks, as data privacy laws like GDPR require strict protection of personal health information.

SEE: Research Eyes Misconfiguration Issues At Google, Amazon and Microsoft Cloud

Aaron Costello, chief of SaaS security research at AppOmni, told TechRepublic by email: “These exposures are significant — Microsoft Power Pages is used by over 250 million users every month, as well as industry-leading organisations and government entities, spanning financial services, healthcare, automotive, and more.

“AppOmni’s discovery highlights the significant risks posed by misconfigured access controls in SaaS applications: sensitive information, including personal details, has been exposed here.

“It’s clear that organisations need to prioritise security when managing external-facing websites, and balance ease of use with security in SaaS platforms — these are the applications holding the bulk of confidential corporate data today, and attackers are targeting them as a way into enterprise networks.”

Common Power Pages misconfigurations

Within Power Pages, admins specify which users can access different elements of a site’s underlying Dataverse, the Power Platform’s data storage layer.

One of the main benefits of using Power Pages over traditional web development is its out-of-the-box role-based access control. However, this convenience can also lead technical teams to become complacent.

AppOmni identified the following primary ways that business data was being exposed:

• Allowing open self-registration: This is the default setting when a site is deployed and allows Anonymous users to register and become “Authenticated,” a user type that typically has more permissions enabled. Even if registration pages are not visible on the platform, users may still be able to register and become Authenticated through associated APIs.
• Granting tables with “Global Access” for external users: If Anonymous users are given “Global Access” permissions on a certain table, anyone can view the rows. The same is true if Authenticated users have this permission and open self-registration is enabled.
• Not enabling column security for sensitive columns: Even if the table has some access controls, attackers may find certain columns lack column-level security, allowing data to be viewed without restriction. Column security often isn’t applied consistently, especially in tables where access is configured at a broader level. AppOmni says this could be related to the tedious setup process or the fact that it was not intended to be done by the public.
• Not replacing sensitive data with masked strings: This is an alternative to applying column-level security that would not hinder site functionality.
• Exposing excessive columns to the Power Pages Web API: AppOmni often sees organisations allowing all columns of a single table to be retrievable by the Web API, opening up more information than necessary to possible exposure if a bad actor gains unauthorised access.

Ensuring your Power Pages site is secure

Know the warning signs

Microsoft has enabled several warning signs for when it detects a potentially dangerous configuration, including:

• Banner on Power Platform admin console pages: This warns that if a site is public, any changes made will be visible immediately.
• Message on Power Page’s table permissions configuration page: This tells admins that data visible to the Anonymous role means that it can be seen by anyone.
• Warning icon on Power Page’s table permissions configuration page: This is displayed beside any permission granting Global Access to Anonymous users.

Audit access controls

Power Pages admins must, ideally, avoid giving excessive levels of access to external users by analysing the site settings, table permissions, and column permissions. AppOmni suggests re-evaluating how the following are configured:

• Site settings: Specifically:
  • Webapi/<object>/enabled
  • Webapi/<object>/fields
  • Authentication/Registration/Enabled
  • Authentication/Registration/OpenRegistrationEnabled
  • Authentication/Registration/ExternalLoginEnabled
  • Authentication/Registration/LocalLoginEnabled
  • Authentication/Registration/LocalLoginDeprecated
• Table permissions: Any table that has the “Access Type” set to “Global Access” and is associated with external roles.
• Column permissions: Any columns belonging to tables that are accessible to external users, which do not have column security enabled and an appropriate mask.
• Column Security Profiles: Any column security profiles that include external roles.

If changing these would break site functionality, AppOmni recommends deploying a custom API endpoint to validate user-supplied information.