More than 1 million sensitive records containing NHS workers’ personal data, including email addresses, phone numbers, and home addresses, were left vulnerable online due to a misconfigured Microsoft Power Pages setup.
In September, cybersecurity experts at AppOmni identified a major enterprise service provider working with the UK’s National Health Service (NHS) as having permitted unauthorized access to sensitive data through insecure permission settings on Google Pages.
Inadvertently, the initial permission settings for certain tables and columns within the Energy Pages Net API proved overly permissive, thereby permitting unrestricted access to “Nameless” customers or unauthenticated users. The misconfiguration has been publicly disclosed to the NHS, which has subsequently been rectified.
Notwithstanding these discoveries, we also uncovered millions of pieces of information belonging to various organizations and authorities entities, which were exposed due to similar misconfigurations.
The company’s database consisted of both internal corporate records and customer information from registered website users, including clients. The indiscriminate sharing of personal data in public relations campaigns not only invades individuals’ privacy but also exposes organizations to compliance risks, as regulations such as the General Data Protection Regulation (GDPR) necessitate the strict safeguarding of confidential health information.
Aaron Costello, chief of SaaS safety analysis at AppOmni, noted via email: “These vulnerabilities are critical – Microsoft Power Pages is employed by over 250 million users monthly, including industry-leading organizations and government entities across sectors such as financial services, healthcare, automotive, and more.”
“The alarming findings from AppOmni’s investigation underscore the perilous consequences of misconfigured entry controls within SaaS applications, as sensitive data including personal information is inadvertently exposed.”
Organisations must prioritise safety when managing external-facing websites, ensuring seamless integration with stable and user-friendly SaaS platforms that safeguard confidential company information – the primary targets for cyberattacks seeking to infiltrate enterprise networks.
Frequent Energy Pages misconfigurations
Admins on Inside Energy Pages determine which users have access to distinct sections of the website’s Dataverse, the data storage layer, thereby controlling knowledge flow.
One key benefit of using Energy Pages for website development is its innovative, pre-configured role-based access control system, allowing for seamless and secure entry management from the start. Despite providing comfort, such ease may inadvertently prompt technical teams to become complacent.
The convergence of breakthrough technologies and innovative methodologies has led to the emergence of new pathways for uncovering enterprise knowledge.
- Upon deployment, most websites enable anonymous registration, allowing users to become “Authenticated,” a type that often carries additional privileges enabled. Although registration pages may not be visible on the platform, customers should still have the capability to register and become authenticated through associated APIs.
- Customers without assigned names are granted “World Entry” access to a specific desk, enabling anyone with this permission to view all available rows. When authenticated customers possess this permission and self-registration is allowed,
- While certain access restrictions are in place on the desk, attackers may still exploit vulnerabilities as they uncover that certain columns lack robust, column-level security measures, enabling data to be accessed without limitation? While column safety is sometimes used sporadically, its application tends to be inconsistent, especially in table settings where entry-level configurations are typically made on a larger scale. AppOmni suggests that this may be linked to the cumbersome deployment process or the fact that it wasn’t intended for public consumption, respectively.
- Employing row-level security as a viable alternative to column-level safety won’t impede website performance.
- To prevent unnecessary exposure, AppOmni recommends limiting access to only necessary columns through its Net API, thereby minimizing the potential damage in case of unauthorized access.
Is your website’s energy efficiency a top priority?
Know the warning indicators
Microsoft has introduced a range of warning indicators that alert users to probable harmful configurations, including:
- This cautionary note advises that when modifying a publicly accessible website, any alterations will likely become visible to the public immediately.
- When knowledge is assigned to the Nameless position, it implies that access to such information will be unrestricted and available to anyone.
- This message is displayed beside any permission granting world entry to nameless customers?
Audit entry controls
Energy Pages administrators should ensure that external customers are restricted from gaining unfettered access by carefully examining location settings, desk permissions, and column permissions. AppOmni recommends reassessing the setup of your networks.
- Particularly:
- Webapi/<object>/enabled
- Webapi/<object>/fields
- Authentication/Registration/Enabled
- Authentication/Registration/OpenRegistrationEnabled
- Authentication/Registration/ExternalLoginEnabled
- Authentication/Registration/LocalLoginEnabled
- Authentication/Registration/LocalLoginDeprecated
- All desks configured with the “Entry Sort” option set to “World Entry” that are associated with external-facing positions.
- Columns publicly accessible to exterior customers that lack column-level security with corresponding access controls must be reviewed for potential vulnerabilities.
- What innovative frameworks for external risk assessments are being explored?
To prevent any potential degradation in website performance, AppOmni suggests creating a tailored API endpoint for verifying user-input data.
