Share our part Personal information With some portals Website This is very common. In exchange for obtaining a service, we provide it in the belief that the company has the necessary technology and the necessary protocols to protect it, and will use it only as we permit. But unfortunately there is always the possibility of a failure and it has been revealed that there are thousands of portals that work in the system Microsoft They are millions of RsConfidential records.
According to security company researchers Preservation, About 38 million entries from over a thousand web applications using the portal site Power applications Microsoft, released online.
The records are said to be full The most important information, For example, it contains Covit-19 contact tracking, vaccination records and employee databases with addresses, telephone numbers, and Social Security numbers.
According to the report, data from some large companies and firms were exposed in the incident. The wire media confirms the presence in the affected companies American Airlines, Ford, Indiana Department of Health and New York City Public Schools. In addition, 332 thousand email addresses and employee identities were among the most confidential information left to view Microsoft They are used for payroll.
Researchers at Upcard began investigating the issue in May and later warned of several other data Power utilities, They are considered private and can be accessed by anyone who knows where to look.
The service is worth explaining Power applications Aims to make it easier for customers to create their own web and mobile applications. The system provides application programming interfaces (APIs) for developers to use the data they collect. However, Preservation The use of those APIs has been found to make the data obtained through the Power Apps portal the default public disclosure, and manual overhaul is required to keep the information private.
Answer
Preservation Claimed to have submitted a vulnerability report to Security From Microsoft Including links to accounts on the portals of last June 24 Power applications In which they emerged Confidential data And steps to identify API This allowed access to anonymous data.
Experts have been working ever since Microsoft To clarify the problem. However, Upcard, a Microsoft analyst, said on June 29 that the case had been closed and that “they had determined that such behavior should be considered by design.”
In response, Upcard began notifying some of the affected companies and organizations, which moved to block their data. Then submitted a report Microsoft July 15. Also, by July 19, the company revealed that most of the information on the affected Power Apps portals, including the most important information, had been privatized and the vulnerability had largely been resolved.
About the topic Microsoft Said with Engadget: “Our products offer flexible features to customers and Privacy To design scalable solutions that meet different needs. We take it seriously Security And privacy, and we encourage our customers to use best practices in configuring products to suit their privacy needs.
Also, earlier this month, Microsoft said there would be apps Power applications When developers use APIs they keep the data private. In addition, it released a tool for developers to check their settings.
Finally, it is worth clarifying that there is no indication yet that the transparent data has been used for some malicious purposes. However, the case shows that developers need to check their configuration carefully, especially when inserting the API they did not format themselves.
Also read: They are making a small copy of The Simpsons TV to watch this series
“Incurable web evangelist. Hipster-friendly gamer. Award-winning entrepreneur. Falls down a lot.”