The Power Pages platform from Microsoft offers users an easy-to-use, low-code platform that enables them to build data-driven websites with only a little bit of programming knowledge or experience. In both the public and private sectors, companies large and small rely on this tool to facilitate the collection and analysis of data that can assist them with all manner of problems that may arise from customers or citizens seeking information to solve a problem. 

There may be other issues regarding these web pages, such as the possibility of leaks of sensitive information for their respective organizations as well if the settings for these web pages are not set up properly.  According to cybersecurity researchers, a new vulnerability has been discovered in Microsoft Power Pages that stems from misconfigured access controls within websites built with this platform that can expose sensitive data. 

If the vulnerability resulted in millions of sensitive business records being exposed to unauthorized users, this could pose a serious security risk for affected organizations as a result. It is an application service platform, that is based on the Power Platform, and offers developers a low-code platform that can be used to build externally facing websites on top of Microsoft's infrastructure without a lot of coding. 

To guarantee a layer of access control, the Power Pages system uses a layered approach when it comes to writing a custom website. A site's permissions can be configured from a table level, a column level, or a column-level. Despite these risks, misconfigurations of these settings can unintentionally expose sensitive data to the public internet when businesses misconfigure these settings.  Organizers can expose more columns to the Web API than are necessary, thereby increasing the potential attack surface of their applications. 

According to Aaron Costello, AppOmni's chief of SaaS security research, Power Pages users have to pay more attention to the software's security settings to ensure their information is protected, especially given the product's popularity. It was announced earlier this year that websites that are created using Power Pages have over 250 million users every month, according to a statement from Microsoft.  Several AppOmni and Microsoft 365 customers are now using AppOmni Insights to assist with the detection of these kinds of exposures and to provide subsequent remediation guidance if such exposures are found. 

For a detailed understanding of how these kinds of vulnerabilities can arise, it is worthwhile to first understand the platform's RBAC model and how Power Pages are constructed. In contrast to traditional custom web development, Power Pages has the following main advantages: out-of-the-box (OOB) role-based access control (RBAC), the option of using Microsoft's Dataverse as the database automatically and the ease of a drag-and-drop interface, which is made possible by prebuilt components, which greatly reduces the need for custom code in the design of the web site. 

Affording too many permissions to roles like "Anonymous Users" (non-authenticated visitors) and "Authenticated Users" (authenticated visitors) may expose an organization to potential data leaks, which may not have been anticipated. It is worth noting that Microsoft's customers have the option of easily deploying these data-driven web applications. However, if these applications are mismanaged from a security perspective, they may have a heavy cost to pay for their security. This data is primarily made up of internal organization files as well as sensitive personal information regarding both users from inside the organization and those who register on the website and are registered to either organization. 

PII was recovered from most of these cases and consisted of full names, email addresses, phone numbers, and addresses for the home, in the majority of cases.  The information of over 1.1 million NHS employees was leaked by a large shared business service provider to the NHS, with many parts of the data including email addresses, telephone numbers, and even the addresses of the employees' homes, and this was being done without the employee's knowledge. 

In this particular case, the findings were fully disclosed responsibly and have been resolved since then. A lack of understanding of the access controls in Power Pages, as well as insecure custom code implementations are the main reasons for these data leaks. With excessive permissions given to unauthenticated users, any user may be able to extract records from the database if they have access to the readily available Power Page APIs available on the web. 

A Power Pages site also allows users to generate accounts and become authenticated with the help of APIs once they have registered. Users from outside of the company can also be granted global access for reading operations on the system. Researchers identified that the absence of column-level security in Microsoft Power Pages could enable unauthorized individuals to access sensitive data without restrictions. Additionally, it was noted that users often fail to replace sensitive information with masked strings, further exacerbating security vulnerabilities. 

In response, Microsoft has implemented multiple safeguards within the backend of Power Pages and Power Platform Apps. These measures include warning banners across all Power Platform admin console pages, as well as prominent alerts and warning icons on the table permissions configuration page of Power Pages. These updates aim to help administrators identify and address potentially risky configurations. This incident underscores the importance of proactive security practices in safeguarding sensitive data. Organizations utilizing Power Pages are encouraged to review and strengthen their configurations to mitigate risks and enhance overall security.