Costello noted that during his research, which involved authorized testing of websites, he uncovered several million sensitive records. Extrapolating that to all websites based on Power Pages, the score is probably much bigger.
“In one case, a large shared business service provider for the NHS was leaking the information of over 1.1 million NHS employees, with large portions of the data including email addresses, telephone numbers, and even home addresses of the employees,” Costello said in his report. “This particular finding was responsibly disclosed and has since been resolved.”
Misunderstanding Power Pages access controls
Microsoft Power Pages is a low-code software as a service (SaaS) platform that enterprises can use to create business websites. Compared to building websites from scratch, Power Pages already provides a role-based access control (RBAC) implementation, a built-in database in the form of Microsoft Dataverse, and drag-and-drop interfaces for various components that can be used to build a website.
