Microsoft Power Pages misconfigurations exposing sensitive data

Private businesses and public-sector organizations are unwittingly exposing millions of people's sensitive information to the public internet because they misconfigure Microsoft’s Power Pages website creation problem.

So says Aaron Costello, chief of SaaS security research at security-for- SaaS vendor AppOmni, who uncovered the issue in September.

In a post published Thursday, Costello details how he uncovered "significant amounts of data" – both internal org files and personal identifiable information (PII) – left out in the open for anyone to take a look at thanks to misconfigured access controls in websites built using Power Pages.

It's a big deal because more than 250 million users use Power Pages – a Microsoft website design service - each month.

"In one case, a large shared business service provider for the [UK National Health Service] NHS was leaking the information of over 1.1 million NHS employees, with large portions of the data including email ...