Low-Code, High Risk: Millions of Records Exposed via Misconfigured Microsoft Power Pages

Security researcher investigated Microsoft Power Pages installations and found several with misconfigurations allowing unintentional access to confidential data.

Researchers have discovered multiple misconfigured implementations of Microsoft Power Pages, and suspect the problem may be widespread.

Power Pages is a low code tool that enables easy generation of web portals, typically fronting Microsoft’s Dataverse relational database. It is widely used by government entities, educational institutions, and private organizations around the world – sometimes to allow public interaction with the organization, and sometimes to provide remote access to data for employees.

Aaron Costello, chief of SaaS security research at AppOmni, investigated a small number of installations and rapidly found several with misconfigurations allowing unintentional access to confidential data. He found around 7 million exposed records in about half a dozen implementations. For example, he notes in his analysis, “A large, shared business service provider for the NHS was leaking the information of ...