Security gaps within Microsoft’s Power Pages, a platform used for building low-code web portals, have led to multiple data exposures, affecting millions of user records.
The issue was brought to light by Aaron Costello, chief of SaaS security research at AppOmni, who discovered the problem during authorized testing in September. His findings emphasize how misconfigured access controls can grant unintended permissions, exposing sensitive information to public access.
The Scope of the Problem: NHS Breach as an Example
One of the most impactful incidents Costello reported involved an NHS contractor’s site that exposed data belonging to over 1.1 million employees, including personal details like email addresses and home addresses. The breach was swiftly addressed following disclosure, but similar vulnerabilities continue to pose a risk to other sectors, from healthcare to finance.
Power Pages operates on a role-based access control (RBAC) system that assigns permissions based on whether users are authenticated or not. The platform’s flexibility allows organizations to create sites for public registration, which can lead to unintended permission assignments if not managed properly.
Costello noted that authenticated users, who may simply have signed up, often receive permissions designed for internal roles, making these sites more vulnerable to data breaches.
Technical Challenges with Permissions
The platform’s security model is multi-layered, including site, table, and column-level access controls. The Web API, used for interacting with data stored in Microsoft Dataverse, can facilitate data retrieval and other operations if misconfigured.
Costello found that many websites had overly permissive table settings, including global access, which granted read permissions to all rows within a table.
To mitigate this, Power Pages includes column-level security, enabling data masking using regex-based patterns to hide specific information. However, this feature is complex to implement, involving steps such as creating regex masks, enabling column security, and assigning permissions through security profiles.
“Throughout the entirety of my testing, not a single implementation of column-level security was present to prevent access to sensitive columns. Whether this is due to the initially tedious setup duration, or the fact that creating your own regexes is a pre-release feature ‘not intended for production’, this security feature is widely slept upon by organizations,” Costello reported, emphasizing that this oversight often leaves sensitive data accessible to unauthorized users.
Demonstrating Exploitable Misconfigurations
Costello showcased how these vulnerabilities could be exploited using Burp Suite, a tool that intercepts and modifies HTTP requests. By examining intercepted traffic, it is possible to identify accessible tables and extract data through modified requests. Common errors returned by the API can help attackers map the structure of exposed tables and columns, facilitating more targeted data extraction.
Despite built-in warnings, such as admin console alerts and banners indicating risky configurations, these tools do not cover the authenticated user role—one of the primary access points when public registration is enabled.
Microsoft Warnings and the Role of Administrators
Microsoft provides several alerts within the Power Pages admin interface, including warnings about global access permissions and banners indicating public data exposure risks. While helpful, these notifications are not a substitute for thorough audits of access permissions.
Costello’s report highlights that organizations must pay attention to site settings, table permissions, and column-level security to avoid inadvertent data leaks. He suggests that for organizations requiring custom functionality, creating API endpoints specific to their needs would offer better control.
Setting up column-level masking in Power Pages is more intricate compared to other SaaS platforms. Administrators need to define regex patterns in Power Apps, enable column security in the Power Pages management portal, and create security profiles to manage access. These multiple steps often discourage organizations from utilizing this safeguard, leaving data unprotected.
Addressing the Risks: Recommendations for Organizations
To combat these vulnerabilities, experts recommend comprehensive audits starting from site-level settings and extending to column permissions. Administrators should especially review any settings granting broad access, such as global permissions for external roles. While Microsoft’s alerts help identify risky configurations, continuous monitoring solutions can provide real-time insights and alert administrators to any unauthorized access or changes in permissions.
For some use cases, adopting custom API endpoints can limit data exposure without affecting essential functionalities. Costello stressed the importance of organizations balancing ease of use and security, ensuring sensitive data is kept safe.