Ethical Hacking News
Millions of sensitive data have been exposed to the public internet due to misconfigurations in Microsoft's Power Pages platform, a website creation service used by numerous organizations. This reveals significant security vulnerabilities and raises concerns about personal identifiable information.
Millions of sensitive data have been exposed due to misconfigurations in Microsoft's Power Pages. More than 250 million users utilize Power Pages each month, making it a significant vulnerability. A large shared business service provider for the UK National Health Service (NHS) was leaking the information of over 1.1 million NHS employees. Sensitive data from authorized testing alone were found exposed to the public internet, affecting private organizations and government entities. The \"authenticated user\" role often receives elevated permissions, leading to excessive permissions being granted to outsiders who register for websites. Many companies treat the \"authenticated user\" role as belonging to someone inside the organization, granting permissions accordingly. Nearly all data leaks discovered by Costello are due to overly permissive table access control definitions. Column-level security is often absent or not set up correctly, making it difficult to protect sensitive information. Microsoft alerts users via banners and warnings when detecting potentially dangerous configurations, but removing excessive levels of access is still necessary.
Millions of sensitive data have been exposed to the public internet due to misconfigurations in Microsoft's Power Pages, a website creation platform used by numerous organizations, including those in the healthcare and finance sectors. This revelation has sparked concerns about the security and privacy of the personal identifiable information (PII) of millions of individuals.
According to Aaron Costello, chief of SaaS security research at AppOmni, an organization that discovered this issue in September, more than 250 million users utilize Power Pages each month, making it a significant vulnerability. In one notable instance, a large shared business service provider for the UK National Health Service (NHS) was leaking the information of over 1.1 million NHS employees, including email addresses, telephone numbers, and home addresses.
Costello notes that several million records of sensitive data were found exposed to the public internet from authorized testing alone, affecting both private organizations and government entities, including those in technology, health, and finance sectors. He highlights that organizations need to prioritize security when managing external-facing websites, striking a balance between ease of use and security in SaaS platforms.
Power Pages, a low-code software-as-a-service platform, allows organizations to build external-facing websites on Microsoft infrastructure with preconfigured role-based access controls and three out-of-the-box roles. Two of these roles – "anonymous users" and "authenticated users" – are particularly relevant in exploiting this security oversight. The latter represents anyone logged into the site, which often receives elevated permissions.
Many companies treat the "authenticated user" role as belonging to someone inside the organization and grant permissions accordingly – even for outsiders who register for their websites. This approach leaves organizations far more likely to grant excessive permissions to a role that they believe is internal in nature.
Power Pages employs a layered approach to access controls, with four layers forming a pyramid. The foundation level includes site-level access controls, which control site authentication settings and determine which tables and columns in the database are accessible through the public web API. Any of those database resources marked as Web API accessible are at risk of being leaked to unauthorized viewers.
The next layer up is the Table Permissions section, where the site administrator defines table-specific access controls, including roles, permissions, and access types. Nearly all data leaks discovered by Costello are due to overly permissive table access control definitions. For instance, sites with public registration enabled and an "global access" setting allow all rows within a table.
Column-level security is another layer of protection that uses data masking to protect sensitive information. However, this arrangement requires complex setup, often resulting in its absence. Costello noted throughout his testing that not a single implementation of column-level security was present to prevent access to sensitive columns.
Microsoft does alert users via banners and other warnings when it detects potentially dangerous configurations, such as those exposing data to the public internet. Nevertheless, removing excessive levels of access to external users is seen by Costello as the most effective way to resolve this issue in its entirety.
Related Information:
https://go.theregister.com/feed/www.theregister.com/2024/11/15/microsoft_power_pages_misconfigurations/
Published: Fri Nov 15 01:50:07 2024 by llama3.2 3B Q4_K_M
