Security company discovers configuration errors in may lead to severe data breaches. Understand common issues exposing sensitive information and how to protect data in applications.

Security firm recently discovered a security vulnerability in a low-code platform used by over 100 million people each month. The company's Head of Security Research, , explained in a report shared with . that the issue led to millions of sensitive data records from various organizations in both the public and private sectors being exposed, "involving industries such as financial services, healthcare, and automotive." Researchers claim that included the UK's National Health Service (), which leaked information on over 100,000 employees, including email addresses, phone numbers, and home addresses.

The root cause of these data breaches lies in the misconfiguration of access controls used in the development of integrated applications, such as portals. However, its customizable nature may expose sensitive data to the public.

How did this happen? is a powerful tool for building custom websites, employing a layered approach to access control. This includes site-level, table-level, and column-level permissions. However, when organizations misconfigure these settings, they inadvertently expose sensitive data to the public internet.

Organizations can increase their potential attack surface by exposing more columns than necessary. In a blog post, it is explained that setting values to can allow access to all columns within a table, making sensitive information vulnerable. Enabling open registration and external authentication may allow unauthorized users to access sensitive data. This is because, upon deployment, websites automatically allow self-registration and login by default, even if these pages are not visible on the platform. Users can register and authenticate through , where "authenticated users" have more permissions than "anonymous users."

Another common mistake is granting global access to anonymous users, allowing anyone to view and potentially exploit sensitive information. Even with properly configured table-level permissions, if column security is not implemented, sensitive columns can be easily attacked. Finally, not using data masking techniques may expose sensitive information such as in plain text.

"These exposures are significant—with over . million users per month, as well as industry-leading organizations and government entities, spanning financial services, healthcare, automotive, and more," he said. "Clearly, organizations need to prioritize security when managing externally-facing websites and balance usability with security within the platform—these applications currently hold a wealth of confidential corporate data, which attackers view as a gateway into the corporate network."

As shown by data breach incidents, the consequences of these misconfigurations can be extremely severe. By leaking sensitive information, organizations may damage their reputation, face legal repercussions, and potentially expose their systems to further attacks.

This vulnerability also indicates that poor access control management in applications can pose risks, especially when handling sensitive data. Organizations should implement appropriate security measures to manage the security of the platform, as today's platform holds a large amount of confidential company data.

Additionally, regularly reviewing access controls, restricting access to sensitive data, implementing robust authentication and authorization mechanisms, and staying informed about emerging security threats and vulnerabilities can significantly reduce the risk of data breaches and protect sensitive information.