Misconfigurations in Microsoft Power Pages could expose millions of sensitive records

A data exposure issue stemming from misconfigured access controls in Microsoft Power Pages has left several millions of records exposed to unauthorized users, new research reveals.

Aaron Costello, chief of SaaS security and research at AppOmni, detailed how Microsoft’s website building platform could be granting anonymous users permissions to access sensitive PII.

In September 2024, Costello said he uncovered “significant amounts of data being exposed to the public internet as a result of misconfigured access controls in Microsoft Power Page websites.”

Microsoft Power Pages is a low-code SaaS platform used by over 250 million people a month to build websites, according to AppOmni, which lets users build externally facing websites on Microsoft’s infrastructure.

“The main benefits of Power Pages over traditional custom web development include out-of-the-box (OOB) role based access control (RBAC), the automatic ability to use Microsoft’s Dataverse as a database, and a drag-and-drop interface using pre-built components which greatly reduces the need for custom code.”

Costello warned, however, that the easy deployments enabled by Power Pages could come at the expense of security if the platform is not managed correctly, stating that he has discovered several million records of sensitive data exposed to the public internet during his testing.

Costello noted one case where a large shared business service provider for the NHS was found to have leaked information of over 1.1 million NHS employees.

The leaked information contained email addresses, telephone numbers, as well as home addresses of the employees, with the report noting this specific incident has been resolved since its discovery.

Admins should be wary of using ‘anonymous role’ in table permissions

Costello said these data exposures are possible due to a misunderstanding of access controls within Power Pages, as well as insecure custom code implementations.

“By granting unauthenticated users excessive permissions, anyone may have the ability to extract records from the database using readily-available Power Page APIs,” he explained.

The report identified four causes for the exposures, the first being the fact that Power Page exposes excessive columns to the Web API, which Costello noted is not necessarily an issue, but could amplify the degree of information exposed if unauthorized access occurs.

A Power Pages site has self-registration and login enabled by default, which means that although the page may not be visible on the platform, users may still be able to register and authenticate through the associated APIs.

External users can also be granted global access for read operations, providing them with unrestricted read access to all rows of data regardless of record ownership.

Costello warned that if your organization has enabled both external registration and external login, they need to include the ‘authenticated users’ role in their definition of 'external users’.

This issue is also caused by users not enabling column security for sensitive columns, which means that all columns that are web API enabled will be shown to external users if permissions at the table level are misconfigured.

Finally, Costello said that throughout his testing he did not observe the use of obfuscation for sensitive columns.

“If an organization does not wish to leverage column security profiles, it may be wise to apply masks to PII related columns exclusively for external users, without hindering site functionality.”

He noted that Microsoft has included a number of warnings in the backend of the Power Pages and Power Platform applications when it detects a configuration that could leave the organization vulnerable.

This included a banner on all Power Platform admin console pages, which warns that if a page is public, any changes would be immediately visible, as well as an informational message within Power Page’s table permissions configuration page, warning admins about the risks of using the ‘anonymous role’ in table permissions.

A Microsoft spokesperson told ITPro the firm was aware of Costello's report and gave the following statement.

"We provide strict data access by default, and there are security and governance controls for IT administrators to customize to their organization’s needs. Additionally, there are notifications to alert makers about potentially risky data permissions when new tables are enabled on websites, and IT admins can monitor activity through the Power Platform Admin Center."