This past spring Microsoft launched PowerApps, a platform to develop small business applications. These applications can run on computers, tablets and mobile devices and can connect to the Office365 cloud service. It is in that connectivity where cybercriminals can take advantage and obtain sensitive information.
The most common source of this type of data leak is usually a misconfiguration of the application, vulnerabilities are less common. It is these configurations that cybercriminals exploit to obtain information that can be very sensitive.
Due to the pandemic, now almost all companies around the world use some cloud service. Unfortunately, the necessary knowledge for this has not increased at the same pace as the adoption of these services, which can generate this type of problems.
In a recent incident, some 38 millions of records have been exposed and the information was publicly accessible. This information contains personal information, social security numbers, addresses and data about vaccination.
Microsoft, for its part, has updated the platform and now does not allow anonymous users to access data tables, but users can still change these settings. Now, by default, the data will remain hidden.
We must insist on the new model that is emerging with this type of services: now the responsibility will be shared between the provider and the user. This means that the provider will be in charge of maintaining the security of the infrastructure itself while the user, of what they do with it. This implies being extremely careful with the information we deposit in the cloud and how it is managed.
Fountain: HelpNet Security
Image: Microsoft365Training