Microsoft Power Pages misconfigurations expose NHS data

A recent report has identified that improper configuration settings within Microsoft Power Pages have led to the exposure of millions of sensitive data records on the internet, affecting both public and private sector organisations.

One significant case involves a shared business service provider for the England healthcare system, the National Health Service (NHS), which inadvertently leaked data on over 1.1 million NHS employees. The exposed information included email addresses, phone numbers, and home addresses.

According to Aaron Costello, Chief of SaaS Security Research at AppOmni, "These exposures are significant – Microsoft Power Pages is used by over 250 million users every month, as well as industry-leading organizations and government entities, spanning financial services, healthcare, automotive and more."

AppOmni's discovery underscores the critical risks associated with misconfigured access controls in SaaS applications. Costello emphasized, "AppOmni's discovery highlights the significant risks posed by misconfigured access controls in Software-as-a-Service applications: Sensitive information, including personal details, has been exposed here. It's clear that organizations need to prioritize security when managing external-facing websites, and balance ease of use with security in SaaS platforms – these are the applications holding the bulk of confidential corporate data today, and attackers are targeting them as a way into enterprise networks. As the guardians of SaaS security, AppOmni aims to help organizations and vendors address these threats by identifying risks and offering solutions to improve SaaS security for all."

The issue is not isolated to a single sector; it impacts organisations globally, across all industries, including government entities. The data exposed include internal organisational files and sensitive details for companies using the platform, as well as outside users registered on the affected websites.

The vulnerable Microsoft Power Pages Web API can disclose sensitive data such as Personally Identifiable Information (PII) if security configurations inadvertently grant anonymous users excessive permissions. This oversight allows individuals to potentially escalate their permissions, granting access to sensitive data.

In September 2024, Costello revealed vast quantities of data accessible on the public internet from misconfigured access controls in Power Pages websites. Built on the Power Platform, Power Pages facilitate the creation of externally facing websites. While vital role-based access control (RBAC) is built-in, ease of deployment can result in significant security oversights.

This security lapse involved several million records of sensitive data from internal organisation files and PII of users connected to these websites, including full names, email addresses, phone numbers, and home addresses.

AppOmni users with Microsoft365 products have been provided with an AppOmni Insight to help detect and remediate these exposures.

The findings point to inadequacies in the implementation of access controls within Power Pages and insecure custom code practices. By assigning excessive permissions to unauthenticated users, organisations risk having their data exposed through the Web API.

Comprehensive understanding of Power Pages' architecture and the RBAC model is essential to mitigate these vulnerabilities effectively.

AppOmni's report illustrates that the root cause of these exposures lies in mismanagement of authentication and permission settings, urging continued vigilance and comprehensive security monitoring.