Misconfigured Microsoft Power Pages could lead to data breaches<\/title> <meta name=\"description\" content=\"AppOmni researchers found a misunderstanding of Microsoft Power Pages' access controls can lead to PII being taken from these websites.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/microsoft-power-pages-misconfiguration-appomni\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Here\u2019s how misconfigurations in Microsoft Power Pages could lead to data breaches\"> <meta property=\"og:description\" content=\"AppOmni researchers found a misunderstanding of Microsoft Power Pages' access controls can lead to PII being taken from these websites.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/microsoft-power-pages-misconfiguration-appomni\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-11-14T13:00:00+00:00\"> <meta property=\"article:modified_time\" content=\"2024-11-13T23:21:48+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/heres-how-misconfigurations-in-microsoft-power-pages-could-lead-to-data-breaches-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1279\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Greg Otto\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@gregotto\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1731444340g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1730917128g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1731517106g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=268fd554331a9a76f78c\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/82609\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=82609\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fmicrosoft-power-pages-misconfiguration-appomni%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fmicrosoft-power-pages-misconfiguration-appomni%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-82609 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/microsoft-power-pages-misconfiguration-appomni\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.282881002088\">\n<div class=\"single-article__header-content\" readability=\"30.152941176471\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/cybersecurity\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul>\n<p> AppOmni researchers found that a misunderstanding of access controls can lead to PII being taken from these low-code websites. <\/p>\n<p>   <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/heres-how-misconfigurations-in-microsoft-power-pages-could-lead-to-data-breaches.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"Microsoft Power Pages\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/heres-how-misconfigurations-in-microsoft-power-pages-could-lead-to-data-breaches-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/heres-how-misconfigurations-in-microsoft-power-pages-could-lead-to-data-breaches-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/heres-how-misconfigurations-in-microsoft-power-pages-could-lead-to-data-breaches-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/heres-how-misconfigurations-in-microsoft-power-pages-could-lead-to-data-breaches-2.jpg?resize=1024,682 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/heres-how-misconfigurations-in-microsoft-power-pages-could-lead-to-data-breaches-2.jpg?resize=1536,1023 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/heres-how-misconfigurations-in-microsoft-power-pages-could-lead-to-data-breaches-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/heres-how-misconfigurations-in-microsoft-power-pages-could-lead-to-data-breaches-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/heres-how-misconfigurations-in-microsoft-power-pages-could-lead-to-data-breaches-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/heres-how-misconfigurations-in-microsoft-power-pages-could-lead-to-data-breaches-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/heres-how-misconfigurations-in-microsoft-power-pages-could-lead-to-data-breaches-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> A logo of US company Microsoft is displayed during the Vivatech technology startups and innovation fair, at the Porte de Versailles exhibition center in Paris, on May 22, 2024. (Photo by JULIEN DE ROSA \/ AFP \/ Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"44.283862540193\"><body readability=\"88.867507886435\"><\/p>\n<p>Microsoft\u2019s Power Pages is a low-code platform that enables users to create data-driven websites with minimal coding requirements or knowledge. It\u2019s used by both the public and private sector, at organizations large and small, to assist in all sorts of scenarios where a customer or a citizen needs data to solve a problem. These pages also may be creating a problem for their respective organizations, in the form of leaking sensitive information, if they are not configured correctly. <\/p>\n<p>Researchers at Software-as-a-Service (SaaS) security company AppOmni discovered exactly how this happens within Power Pages, which has been detailed in <a href=\"https:\/\/appomni.com\/blog\/microsoft-power-pages-data-exposure-revived\">research published Thursday<\/a>. <\/p>\n<p>The researchers found significant amounts of information can be accidentally shared on the public internet due to misconfigurations in access settings on websites built with Microsoft Power Pages. In one such instance found by the company, a large service provider for England\u2019s National Health Service was leaking information of over 1.1 million NHS employees, including email addresses, phone numbers and home addresses.<\/p>\n<p>AppOmni says the misconfigurations happen because people can easily make errors when setting up access controls in Power Pages, as well as using insecure custom code. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Exposures can occur when Power Pages websites allow too many permissions to users who haven\u2019t signed in. The platform\u2019s role-based access control is set up to automatically assign roles to users, which are cataloged as \u201cAnonymous Users\u201d or \u201cAuthenticated Users.\u201d When a site is incorrectly configured, \u201cAuthenticated Users\u201d can be treated as an internal user, and potentially access sensitive data through the platform\u2019s APIs.<\/p>\n<p>Power Pages also has several layers of security to control users\u2019 access to data \u2014 layers labeled as \u201csite,\u201d \u201ctable,\u201d \u201ccolumn,\u201d and \u201crecord\u201d levels \u2014 but these are often improperly set up. At the site level, default settings make it easy for people to register and gain access to data they should not be able to obtain. At the table and record levels, permissions are given to different roles, but mistakes, like giving \u201cGlobal Access\u201d to roles such as \u201cAnonymous Users,\u201d can let anyone access all data.<\/p>\n<p>Aaron Costello, <a href=\"https:\/\/appomni.com\/\">AppOmni<\/a>\u2019s chief of SaaS security research, told CyberScoop that Power Pages users must pay better attention to the security parameters within the product, especially given Power Pages\u2019 popularity. Earlier this year, Microsoft said websites built and maintained with Power Pages have over <a href=\"https:\/\/www.microsoft.com\/en-us\/power-platform\/blog\/power-pages\/microsoft-power-pages-is-bringing-the-new-standard-in-secure-ai-powered-capabilities\/\">250 million users every month<\/a>. <\/p>\n<p>\u201cIt\u2019s clear that organizations need to prioritize security when managing external-facing websites, and balance ease of use with security in SaaS platforms,\u201d Costello said. \u201cThese are the applications holding the bulk of confidential corporate data today, and attackers are targeting them as a way into enterprise networks.\u201d <\/p>\n<p>The research does emphasize that the issue is the way in which Power Pages sites are deployed, and not an underlying vulnerability in Power Pages. There are warnings in Power Pages and other Power Platform applications that alert users of potentially risky configurations, including a banner on all Power Platform admin pages that indicates if changes on public sites are immediately visible. Additionally, a message on the Power Pages table permissions page highlights the risks of using the \u201cAnonymous\u201d role for table permissions. A warning icon also appears next to any permission that grants \u201cGlobal Access\u201d to \u201cAnonymous Users.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>A Microsoft spokesperson told CyberScoop that IT admins should watch for those alerts in the <a href=\"https:\/\/learn.microsoft.com\/en-us\/power-pages\/security\/power-pages-security\">Microsoft Power Platform Admin Center<\/a>. <\/p>\n<p>\u201cWe provide strict data access by default, and there are security and governance controls for IT administrators to customize to their organization\u2019s needs,\u201d the spokesperson told CyberScoop. <\/p>\n<p>AppOmni also says organizations using Power Pages should heavily scrutinize their access controls, particularly permissions granted at the user level, to ensure that no sensitive information is publicly exposed. Additionally, admins should ensure correct Web API and authentication settings, check tables with \u201cGlobal Access\u201d and how they are associated with external roles, and verify that columns accessible to external users have appropriate security and masking.<\/p>\n<p>You can read the full research <a href=\"https:\/\/appomni.com\/blog\/microsoft-power-pages-data-exposure-revived\">here<\/a>. <\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"4.2569832402235\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/heres-how-misconfigurations-in-microsoft-power-pages-could-lead-to-data-breaches-1.jpg?w=640&ssl=1\" alt=\"Greg Otto\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Greg Otto<\/h4>\n<p> Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/microsoft-power-pages-misconfiguration-appomni\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Misconfigured Microsoft Power Pages could lead to data breaches Skip<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3105,78,3106,625,310],"tags":[3107,86,3108,630,311],"class_list":["post-6235","post","type-post","status-publish","format-standard","hentry","category-appomni","category-cybersecurity","category-data-exposure","category-microsoft","category-technology","tag-appomni","tag-cybersecurity","tag-data-exposure","tag-microsoft","tag-technology"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/appomni\/\" rel=\"category tag\">appomni<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/data-exposure\/\" rel=\"category tag\">data exposure<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/microsoft\/\" rel=\"category tag\">Microsoft<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/technology\/\" rel=\"category tag\">Technology<\/a>","tag_info":"Technology","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6235","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=6235"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6235\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=6235"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=6235"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=6235"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":6235,"date":"2024-11-14T07:00:00","date_gmt":"2024-11-14T13:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=82609"},"modified":"2024-11-14T07:00:00","modified_gmt":"2024-11-14T13:00:00","slug":"heres-how-misconfigurations-in-microsoft-power-pages-could-lead-to-data-breaches","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/11\/14\/heres-how-misconfigurations-in-microsoft-power-pages-could-lead-to-data-breaches\/","title":{"rendered":"Here\u2019s how misconfigurations in Microsoft Power Pages could lead to data breaches"},"content":{"rendered":"