This week, we check out the details of the recent API vulnerabilities in Tchap, Shopify, and JustDial. Elsewhere, Gartner reports a whopping 77% increase in inquiries on API security. And finally, we take a look at how an API’s OpenAPI definition can be the foundation for API security.
Tchap is a messaging app that the French government released for internal use. It was hailed as a more secure replacement for Telegram and WhatsApp. And ironically enough, it got hacked in just one hour:
- The sign-up API had an email address parameter that didn’t validate the input format.
- A security researcher, Elliot Alderson, submitted
email@example.com@elysee.fras the address.
- The code simply verified that the address ended with
@elysee.fr, which is a government email domain.
- The check was successful, and Tchap sent a verification email that got delivered to
firstname.lastname@example.org to the attacker.
- The attacker could click the confirmation link, get in, and be able to get into the internal government chat rooms.
To prevent the attack, developers should have defined a strict regular expression for the email address field of their API and enforced the limitation.
Ayoub Fathi found an Insecure Direct Object Reference (IDOR) vulnerability in the API of Shopify Exchange App. The issue — now fixed by Shopify — affected about 8,700 stores and exposed all their revenue and traffic data.
IDOR vulnerability is basically about the lack of authorization. Attackers register and get valid credentials for authentication. However, instead of just accessing their own records, attackers then modify API calls to access other users’ data. For example, API calls might include some sort of ID parameter that attackers can modify to try various combinations. In this particular case, these were the online stores using Shopify that the researcher found through DNS.
Ayoub published a very detailed write-up including his scripts, the way he was doing DNS reverse lookups, and so on.
India’s number one local search service, JustDial, had an unprotected API that leaked personal data of all its 100 mln+ users. Seems that when the company redesigned their apps, the old API was left running, unprotected, and with access to the user database.
Vulnerabilities like this one happen when companies pay attention to their applications but not to the underlying APIs. From JustDial’s perspective, their security was fine because their application was secure. The old API that still existed and had access to their data was simply not on their radar. Considering the wide adoption of API-based application architectures, this mindset needs to change in every company.
Analysts and trends
Gartner’s latest Application Security Testing magic quadrant report has some interesting internal statistics. In 2018, Gartner observed:
- 77% increase over the year on inquiries from end-user clients about API security
- 55% increase on inquiries about container security
- 34% increase on inquiries about DevSecOps
TheNewStack is running my story on how developers can improve the security of their API contracts by auditing the security of the OpenAPI definition of their API.
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy