AXForum  
Вернуться   AXForum > Microsoft Dynamics AX > DAX Blogs
All
Забыли пароль?
Зарегистрироваться Правила Справка Пользователи Сообщения за день Поиск

 
 
Опции темы Поиск в этой теме Опции просмотра
Старый 24.08.2021, 02:59   #1  
Blog bot is offline
Blog bot
Участник
 
25,646 / 848 (80) +++++++
Регистрация: 28.10.2006
msdynamicsworld: Microsoft's Power Apps Portals customers were exposing millions of private records, security firm reveals
Источник: https://msdynamicsworld.com/story/mi...-security-firm
==============

A cybersecurity firm has revealed a broad data security risk in Microsoft Power Apps Portals related to access to OData APIs. The issue, which led to the public exposure of sensitive data across many public-facing portals, impacted hundreds of portals and exposed a reported 38 milllion records including personal information of customers, citizens, and employees.

The firm, UpGuard, reports that the data access issue has largely been addressed through their own outreach to portal owners and through actions taken by Microsoft after learning of the exposures. Portals customers observed to have been inadvertently exposing their data publicly included American Airlines, Ford, J.B. Hunt, state and local government agencies.

The root of the issue was security configuration of OData API feeds for portals, the UpGuard team explained in their report. Specifically, Microsoft Dataverse tables used to store portal data about entities like customers, employees, vendors, constituents, or almost anything else, can be configured for anonymous access via OData. While portals have a range of security controls, the UpGuard team reported that controls for retrieving data on tables via OData could easily be misconfigured to allow anonymous access. (Changes to those configuration settings have now been applied by Microsoft).

The UpGuard team identified these vulnerabilities in May and June of 2021, they report. The findings began with a discovery of anonymous access to personal data on a single portal. After that portal was secured by the owner, the team explored whether other sites powered by Power Apps Portals had the same issue. They found other portals using the common Microsoft subdomain naming patterns and checked each for an OData endpoint and the lists available to anonymous visitors.

Using this technique, the team uncovered sensitive data on public-facing portals used by the US government to track COVID-19 tracing or vaccination and a portal with job applicant data, including Social Security Numbers. In all, they report, they identified over a thousand anonymously accessible lists across a few hundred portals.


With the findings, including exposed data from these portals, the team alerted Microsoft. They explained:


Источник: https://msdynamicsworld.com/story/mi...-security-firm
__________________
Расскажите о новых и интересных блогах по Microsoft Dynamics, напишите личное сообщение администратору.
Теги
power apps

 

Похожие темы
Тема Автор Раздел Ответов Посл. сообщение
msdynamicsworld: New web API for Power Apps Portals: What to expect in Microsoft's first public preview Blog bot DAX Blogs 0 21.05.2020 18:13
crminthefield: Podcast and Overview: Microsoft Dynamics CRM 2011 Update Rollup 14 Blog bot Dynamics CRM: Blogs 0 12.07.2013 07:13
crminthefield: Podcast and Overview: Microsoft Dynamics CRM 2011 Update Rollup 10 Blog bot Dynamics CRM: Blogs 0 17.08.2012 03:27

Ваши права в разделе
Вы не можете создавать новые темы
Вы не можете отвечать в темах
Вы не можете прикреплять вложения
Вы не можете редактировать свои сообщения

BB коды Вкл.
Смайлы Вкл.
[IMG] код Вкл.
HTML код Выкл.
Быстрый переход

Рейтинг@Mail.ru
Часовой пояс GMT +3, время: 06:35.