38 Million Records Were Exposed Online -- Including Contact-Tracing Info

More than a thousand web apps mistakenly exposed 38 million records on the open internet, including data from a number of Covid-19 contact tracing platforms, vaccination sign-ups, job application portals, and employee databases. The data included a range of sensitive information, from people's phone numbers and home addresses to social security numbers and Covid-19 vaccination status. From a report: The incident affected major companies and organizations, including American Airlines, Ford, the transportation and logistics company J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools. And while the data exposures have since been addressed, they show how one bad configuration setting in a popular platform can have far-reaching consequences.

The exposed data was all stored in Microsoft's Power Apps portal service, a development platform that makes it easy to create web or mobile apps for external use. If you need to spin up a vaccine appointment sign-up site quickly during, say, a pandemic, Power Apps portals can generate both the public-facing site and the data management backend. Beginning in May, researchers from the security firm Upguard began investigating a large number of Power Apps portals that publicly exposed data that should have been private -- including in some Power Apps that Microsoft made for its own purposes. None of the data is known to have been compromised, but the finding is significant still, as it reveals an oversight in the design of Power Apps portals that has since been fixed. In addition to managing internal databases and offering a foundation to develop apps, the Power Apps platform also provides ready-made application programming interfaces to interact with that data. But the Upguard researchers realized that when enabling these APIs, the platform defaulted to making the corresponding data publicly accessible. Enabling privacy settings was a manual process. As a result, many customers misconfigured their apps by leaving the insecure default.

Standard American Problems

[Tabitha 696]

This is what happens when you do not have government involvement in safeguarding your infrastructure.

Contact tracing: All pain, no gain

[shanen]

Vacuous FP. But I have a tangential response at hand to the broad failure of contract tracing

Starting with the technological failure: Contact tracing apps for smartphones. If you can point at a success story, please do. I can point at lots of failures and the reason is obvious: Perverse incentives. All pain, no gain.

The least pain is battery drain, but you probably started with installation pains. This story is about the pain of having your personal data breached (and how). But the BIG pain is if it works a

Re:

[Opportunist]

That information is FAR easier to get than by having everyone carry a bug around. Just have the stores, train stations and so on report the customer frequency.

Re:

[shanen]

Your tone suggests you disagree, but your semantics seems to be in agreement. Or did you have some other mechanism than a website or smartphone app in mind to make that information available? Or maybe you just didn't understand my murky and verbose writing and didn't want to ask for clarification?

As I visualize it, each person should have control over how much or how little of your information is used or even shared. Apart from the security problems (highlighted in this story and out of your control once yo

Re:

[Opportunist]

I agree that the idea of knowing when people tend to congregate (for other reasons than actual congregation) and that spreading this out is a very good one. I just don't think that an app (where the people would have to opt-in and thus potentially invalidate the result) is a good approach. A better one would be to ask the stores, trains and other operators of places where people simply have to come together how many people use their servirce at a given time, an information they very likely already have for

Re:

[shanen]

You still sound confused about what I wrote, but I think most of what you described is already in Google Maps (and probably in competing systems that I'm unfamiliar with). Of course only you know where to research as regards your future movements (with certain exceptions such as calendar information), but the history of where you've been is still relevant. (For your present status, looking around usually works well enough, and if you've walked into a red zone, then it's too late anyway.)

Re:

[Ol Olsoc]

Vacuous FP. But I have a tangential response at hand to the broad failure of contract tracing

Tangential? you gotta be trying to change the subject. Apparently you approve of the disclosure, because you don't like contact tracing - sounds legit, Boris.

Re:

[shanen]

NAK

Re:

[CaptQuark]

P.S. And why isn't anyone selling good transparent masks? Not the stupid face shields, but a breathable mask of plastic or perhaps even transparent cotton.

There are lots of transparent face masks available. They are quite popular in the deaf community where lip reading is beneficial. https://www.health.com/conditi... [health.com]

Re:

[shanen]

I did come across those when I was searching for "transparent masks", but all of the ones I saw were face shields or variations, and the airborne virus just goes around that. What I'm thinking of would be flexible and porous, basically like a KN95, but made of flexible plastic or something else rendered close to transparent.

Which gave me the idea of "transparent KN95" as a search, but it produced the same sort of masks as your link... Pretty sure I've never seen one in real life.

Same old story

[oldgraybeard]

with different words "Power Apps from Microsoft"!

first to market

[laktech]

This is what happens when you're in a race to first to market. Everything except the product is an after-thought and thus no surprise this happened.

Re:

[Opportunist]

This is more what happens when you're used to pushing bananaware. Some things can't just ripen with the customer.

No shit

[RightwingNutjob]

Did anyone think these magic apps that popped up overnight weren't built by monkeys copy-pasting shit off of stackoverflow and passing it off as vetted reliable technology.

I'll be damned before I put one of these mystery apps on my phone. And I'll be damnded before I tell any "contact tracer" anything specific about anybody.

If I know enough to identify that person, I will notify them myself. If I don't, then there's nothing the gubmint can do for them.

bad defaulted settings?

[Joe_Dragon]

bad defaulted settings?

also are still useing all users but they really MEAN ALL internet users vs say all domain users?

'Microsoft' should be up front in the subject

[schwit1]

I have to wonder if MS submitted the story with the generic subject knowing someone else would.

Microsoft, NSS!

[Finallyjoined!!!]

Microsoft apps, no shit Sherlock.

I'm forced to use teams at work (WFH) it's shite!

Re:

[Big Bipper]

Microsoft, eye candy first, performance second, security last ( maybe ). Although to be fair, software that is secure out of the box often has the security turned off by the devs in the struggle to get it working and tested or working reasonably fast in a test / beta environment. It's too easy after that to forget to turn it back on.