Researchers have discovered multiple misconfigured implementations of Microsoft Power Pages, and suspect the problem may be widespread.

Power Pages is a low code tool that enables easy generation of web portals, typically fronting Microsoft’s Dataverse relational database. It is widely used by government entities, educational institutions, and private organizations around the world – sometimes to allow public interaction with the organization, and sometimes to provide remote access to data for employees.

Aaron Costello, chief of SaaS security research at AppOmni, investigated a small number of installations and rapidly found several with misconfigurations allowing unintentional access to confidential data. He found around 7 million exposed records in about half a dozen implementations. For example, he notes in his analysis, “A large, shared business service provider for the NHS was leaking the information of over 1.1 million NHS employees, with large portions of the data including email addresses, telephone numbers, and even home addresses of the employees.”

The problem is purely a configuration issue, and not a Microsoft issue. In fact, the MS product displays numerous banner warnings when it notes potential configuration concerns. What Microsoft cannot do is ensure that its users respond to the warnings. 

The real problem might be the dilemma facing all software providers – making a product that is easy to use and attractive to purchase without being easy to misuse. Power Pages provides out-of-the-box role based access control, automatic compatibility with Dataverse, and drag-and-drop pre-built code components. Modern technology can make building portals relatively easy, but security and maintenance remain complex. This can create a mismatch between implementation and maintenance, leading to either initial or emerging misconfigurations beyond the competence of the company concerned.

The need for custom code is reduced, but not eliminated. The misconfigurations and data exposures “are occurring due to a misunderstanding of access controls within Power Pages, and insecure custom code implementations,” notes a report. “By granting unauthenticated users’ excessive permissions, anyone may have the ability to extract records from the database using readily available Power Page APIs.”

It is potentially this mismatch between the ease of low code build and the complexity of access control that is the root of the misconfigurations. “It’s very, very easy for an organization to say, ‘Okay, well, I want all internal employees to have access to each other’s email addresses when they log in’ – and in doing so, it’s easy to accidentally expose their home addresses and phone numbers in the process of that,” Costello told SecurityWeek.

This problem is then exacerbated by the still common siloed relationship between development and security teams – there remains friction between the two teams over who should actually own this issue.

Costello believes that Power Pages misconfigurations may be very widespread, particularly within the UK and European public sector. “The public sector is under a lot of pressure to get things up and running as quickly as possible. If citizens or employees need a service, the sector tries to push that as fast as possible – and it’s very easy to accidentally expose data when you’re rushing.” But the same argument will apply to all government entities and private companies anywhere in the world. “When you rush things, it typically doesn’t end too well,” he added.

Since the problems are not down to Microsoft code, but the users’ use of that code, AppOmni has not reported its findings directly to Microsoft because there is nothing for Microsoft to fix. The firm has however, reported its findings to all the affected companies it has discovered – and all the discovered misconfigurations have now been fixed.

But this doesn’t solve the ongoing misconfiguration issue. The problem is likely to continue, since modern low code technology enables low expertise users to develop complex solutions. Pentesting can find misconfigurations but does not solve the issue: what is correct today might be misconfigured tomorrow through continuous evolution. If the basic cause is modern technology, so must be the solution. AppOmni recommends continuous monitoring with a system able to detect such misconfigurations.

The bottom line to Costello’s investigations is, however, very simple: it is easy and common to misconfigure Power Page web portals.

Related: Cloud Misconfigurations Expose 110,000 Domains to Extortion in Widespread Campaign

Related: OWASP Data Breach Caused by Server Misconfiguration

Related: Misconfigured Firebase Instances Expose 125 Million User Records