What is Microsoft Power Pages?
Microsoft Power Pages, a low-code SaaS platform, enables organisations to swiftly develop external-facing websites. While it offers convenience and efficiency, recent findings have highlighted significant data exposure risks stemming from misconfigured access controls. These misconfigurations can inadvertently expose sensitive information to unauthorised users, underscoring the critical need for robust security practices.
Common Use Cases for Microsoft Power Pages
Organisations across various sectors leverage Microsoft Power Pages for numerous applications, including:
- Customer Service Portal – Self-service platform for customer inquiries and support
- Employee Onboarding – Streamlined processes for new hire documentation and training
- Event Registration Platform – Automated registration and management systems
- Vendor Management System – Centralised vendor information and relationship management
- Community Forum – Interactive platforms for user engagement and discussion
- Knowledge Bases – Centralised repositories for organisational information
- Appointment Scheduling Site – Automated booking and calendar management
- E-learning Portal – Educational content delivery and training platforms
- Patient Portal – Healthcare information access and appointment management
- Incident Reporting System – Streamlined reporting and tracking of organisational incidents
How Did This Happen?
A cybersecurity researcher discovered substantial data exposures in Microsoft Power Pages websites due to misconfigured access controls. These vulnerabilities resulted in the public exposure of sensitive data, including Personally Identifiable Information (PII) such as full names, email addresses, phone numbers, and home addresses.
Most notably, a large, shared business service provider for the UK’s National Health Service (NHS) inadvertently leaked information about over 1.1 million NHS employees, encompassing email addresses, telephone numbers, and home addresses. This specific issue was caused specifically due to misconfiguration of power apps.
Severity of the Breach
The misconfigurations identified have led to the exposure of millions of sensitive records across various sectors, including technology, healthcare, and finance. The NHS incident alone affected over a million employees, highlighting the extensive impact such vulnerabilities can have on both individuals and organisations. The exposed data, accessible to unauthorised users, poses significant risks, including identity theft, phishing attacks, and other malicious activities.
Impact on Affected Organisations
The data exposure has far-reaching implications for the organisations involved. Beyond the immediate risk of data theft, companies may face legal repercussions, regulatory fines, and damage to their reputations. Customers whose data has been compromised are at increased risk of identity theft, financial fraud, and other malicious activities.
For businesses, this incident underscores the importance of thoroughly understanding and correctly configuring security settings in all platforms they use. Relying on default settings without a comprehensive security review can lead to vulnerabilities that are easily exploitable.
Causes of Data Exposure
The primary cause of these data exposures is the misconfiguration of access controls within Power Pages. Key factors contributing to the breach include:
- Enabling Open Self-Registration: By default, newly deployed Power Pages sites permit anonymous users to register and obtain “Authenticated” status, which generally comes with expanded permissions. Even if registration pages are not explicitly displayed on the site, users can still sign up and authenticate through associated APIs.
- Assigning “Global Access” Permissions to External Users: Granting “Global Access” to tables for anonymous users makes all records within those tables publicly accessible. Similarly, if authenticated users are assigned this permission and self-registration is open, unauthorised individuals could exploit it to gain unrestricted data access.
- Lack of Column-Level Security for Sensitive Data: Even when table-level access controls are in place, attackers may still access unprotected columns if column-level security is not applied. This inconsistency in security implementation, often due to the complexity of the setup process or a lack of awareness, leaves certain data vulnerable to exposure.
- Failure to Mask Sensitive Data: Instead of using column-level security, organisations can apply data masking techniques to obfuscate sensitive information. However, many fail to implement this, leaving confidential data readable by unauthorised users.
- Overexposing Data via the Power Pages Web API: Organisations frequently configure the Web API to expose all columns of a table, rather than limiting access to only necessary fields. This practice increases the risk of data leaks, as unauthorised individuals gaining access to the API could retrieve excessive amounts of sensitive information.
How to Detect Misconfigurations in Microsoft Power Pages
Detecting such misconfigurations requires a comprehensive review of access control settings within Power Pages deployments. Organisations should:
- Audit Site-Level Settings: Ensure that authentication and registration configurations align with security policies, disabling open registrations if not necessary.
- Review Table and Record Permissions: Verify that permissions granted to roles, especially ‘Anonymous Users’ and ‘Authenticated Users,’ are appropriate and do not provide excessive access.
- Implement Column-Level Security: Utilise column security profiles and data masking to protect sensitive information from unauthorised access.
- Continuous Monitoring: Regularly monitor and assess configurations to detect and remediate any deviations from established security baselines.
Conclusion
The incidents of data exposure in Microsoft Power Pages serve as a stark reminder of how easily misconfigurations can compromise sensitive information on a massive scale. While the platform offers immense value across industries—from healthcare and finance to education and community services—the responsibility of securing these deployments ultimately lies with the organisations that use them.
By proactively auditing configurations, applying granular access controls, and implementing continuous monitoring, organisations can mitigate risks and safeguard the sensitive data entrusted to them. The lesson is clear: security cannot be treated as an afterthought. In today’s threat landscape, robust configuration and vigilant oversight are not optional—they are essential to protecting both people and businesses from preventable breaches.
