In this episode, we take a close look at the history of security issues in Power Pages. We start with the early days — when simple misconfigurations like unchecked table permissions and enabled OData feeds led to major data exposures. These weren't bugs, but they showed how easy it was to set things up the wrong way. We talk about how Microsoft responded and what lessons we've learned about secure defaults and clear documentation.

We then move on to more serious vulnerabilities introduced by newer features like the Web API. We explain how some of these flaws allowed access to restricted data using filters and sort clauses, and how those issues were eventually patched. These were real product-level bugs, and some were even exploited in the wild.

We also share our thoughts on external authentication providers like Google, and the risks that come with delegating authentication — including phishing techniques that can bypass protections. Finally, we reflect on how Power Pages compares to platforms like WordPress, especially when it comes to architecture and the potential for plugin-related vulnerabilities. Despite recent issues, we think the original design of Power Pages deserves credit for holding up well over time.

References

• Power Pages security | Microsoft Learn
• Tip #1407: How to secure Power Apps portal from making the news - Power Platform & Dynamics CRM Tip Of The Day
• Engineered Code - Blog - Power Pages: Another "Leak"
• https://thehackernews.com/2025/01/severe-security-flaws-patched-in.html
• https://www.bleepingcomputer.com/news/security/microsoft-fixes-power-pages-zero-day-bug-exploited-in-attacks/
• https://www.cnn.com/2021/08/24/tech/data-leak-microsoft-upguard/index.html
• https://www.upguard.com/breaches/power-apps

Get in touch

• • [email protected]
  • Nick Hayduk @Engineered_Code
  • George Doubinski @georgedude