In October 2020 I wrote an article on the risks and rewards of the citizen developer approach, urging proponents to put good governance practices in place. Almost one year later, cybersecurity firm UpGuard found an issue with default permissions in the Microsoft Power Apps environment which resulted in the exposure of upwards of 38 million records online.
To be clear, the vulnerability wasn’t inherent in the Power Platform architecture. What UpGuard found was, despite a warning in the documentation, users built a number of portals set to default permissions that created the hole and exposed the records. Microsoft has since made changes to close the hole and improve default security.