Search This Blog

Showing posts with label API Bug. Show all posts

Hackers Expose Credentials of 200 million Twitter Users

Researchers suggest that a widespread cache of email addresses related to roughly 200 million users is probably a revised version of the larger cache with duplicate entries deleted from the end of 2022 when hackers are selling stolen data from 400 million Twitter users.

A flaw in a Twitter API that appeared from June 2021 until January 2022, allowed attackers to submit personal details like email addresses and obtain the corresponding Twitter account. Attackers used the vulnerability to harvest information from the network before it could be fixed. 

The bug also exposed the link between Twitter accounts, which are frequently pseudonymous, numbers and addresses linked to them, potentially identifying users even if it did not allow hackers to obtain passwords or other sensitive data like DMs. 

The email addresses for a few listed Twitter profiles were accurate, according to the data that Bleeping Computer downloaded. It also discovered that the data had duplicates. Ryushi, the hacker, asked Twitter to pay him $200,000 (£168,000) in exchange for providing the data and deleting it. The information follows a warning from Hudson Rock last week regarding unsubstantiated claims made by a hacker that he had access to the emails and phone numbers of 400 million Twitter users.

Troy Hunt, the founder of the security news website Have I Been Pwned, also investigated the incident and tweeted his findings "Acquired 211,524,284 distinct email addresses; appears to be primarily what has been described," he said. 

The social network has not yet responded to the enormous disclosure, but the cache of information makes clear how serious the leak is and who might be most at risk as a consequence. Social media companies have consistently and quickly minimized previous data scrapes of this nature and have dismissed them as not posing substantial security risks for years.

FBI: Tik Tok privacy issues

Christopher Wray, the director of the FBI, expressed its concern over the potential that the Chinese government might alter TikTok's recommendation algorithms, which can be utilised for conventional espionage activities.

The short clip social network is under federal attention recently, largely because of worries about data privacy, especially when it comes to youngsters, and because of the ongoing tension between the United States and China. In 2020, the Trump government made an unsuccessful effort to eliminate TikTok from app stores. Additionally, there have been legislative hearings on user data in both 2021 and this year.

While Wray acknowledged that there are numerous countries that pose cyberthreats to the United States, "China's rapid hacking operation is the largest, and they have gained more of Americans' personal and business data than any other country combined," Wray said.

He claimed that TikTok APIs may be used by China to manage the software on consumer devices, opening the door for the Chinese government to basically breach the appliances of Americans.

Rep. John Katko, D-NY, the ranking member of the committee and a persistent advocate of cybersecurity issues in Congress, claims that Chinese cyber operations pose a threat to the economic and national security of all Americans. He updated the members that ransomware assaults caused companies $1.2 billion in losses last year.

Using HUMINT operations, China has gained access to the US military and government and gathered important information about US intelligence operations. Due to the development of these abilities, China was able to intercept communications, gather sensitive information, and gather a variety of data regarding US military and diplomatic activities.

Users' Data Exposed Due to Twitter API Security Flaw

Cybercriminals started selling the user details of more than 5.4 million Twitter users on a hacking website in July this year after taking advantage of an API flaw that was made public in December 2021. Just as other researchers discovered a compromise affecting millions of accounts throughout the EU and US, a hacker just made this information available for free.

While the majority of the data was made up of publicly available details like Twitter IDs, names, login names, localities, and verified status, it also contained private details like phone numbers and email addresses. 

Security specialist Chad Loder was the first to reveal the story, but he was shortly suspended from the microblogging service. According to Loder, they contacted a sample of the impacted accounts and came to the conclusion that the information was accurate and the breach happened in 2021.

The information was first stolen from Twitter exploiting a vulnerability in the application programming interface API of the service, but it is now freely available online. Twitter was open about the initial user ID leak and API attack that affected millions of users. The platform claimed at the time that it was alerting users who they could verify had been affected by the data leak.

The data of 5,485,635 active Twitter users was exchanged freely on a hacking site on November 24. The initial 5.4 million data points were distributed for free in a thread that appeared on BreachForums last week, and as of the time of reporting, the forum thread was still active. Although the forum thread highlighted the other 1.4 million from restricted accounts may still be spreading exclusively in private circles, Gizmodo was unable to confirm the veracity of the information.

A breach of 17 million users would be one of the larger user data breaches, though by no means the largest given that Twitter has more than 200 million active daily users.

SAP Security Patch for July: Six High Priority Notes

The July 2022 patch release from SAP was released in addition to 27 new and updated SAP Security Notes. The most serious of these problems is information disclosure vulnerability CVE-2022-35228 (CVSS score of 8.3) in the BusinessObjects Business Intelligence Platform's central administration console.

Notes for SAP Business One 

The three main areas that are impacted by the current SAP Security Notes are as follows, hence Onapsis Research Labs advises carefully reviewing all the information:
  • In integration cases involving SAP B1 and SAP HANA, with a CVSS score of 7.6(CVE-2022-32249), patches a significant information release vulnerability. The highly privileged hackers take advantage of the vulnerability to access confidential data that could be used to support further exploits.
  • With a CVSS rating of 7.5 (CVE-2022-28771),  resolves a vulnerability with SAP B1's license service API. An unauthorized attacker can disrupt the app and make it inaccessible by sending bogus HTTP requests over the network if there is a missing authentication step.
  • A CVSS score of 7.4(CVE-2022-31593), is the third High Priority note. This notice patches SAP B1 client vulnerability that allowed code injection. An attacker with low privileges can use the vulnerability to manipulate the application's behavior.
On July 20, 2022, SAP announced 17 security notes to fix vulnerabilities of medium severity, the bulk of which affect the NetWeaver Enterprise Portal and Business Objects.

Cross-site scripting (XSS) vulnerabilities in the NetWeaver Enterprise Portal were addressed in six security notes that SAP published, each of which had a CVSS score of 6.1. Medium-severity problems in Business Objects are covered by five more security notes.

The SAP July Patch Day illustrates the value of examining all SAP Security Notes prior to applying patches. 

Susceptible APIs Costing Organizations Billions Every year


Last week, threat intelligence firm Imperva published a report titled ‘Quantifying the Cost of API Insecurity’, which examined nearly 117,000 security incidents and unearthed that API insecurity was responsible for annual losses of between $41- 75 billion globally. 

The study conducted by the Marsh McLennan Cyber Risk Analytics Center discovered that larger enterprises had a higher threat of having API-related breaches, with organizations making more than $100 billion in revenue being three to four times more likely to face API insecurity than small or midsize enterprises. 

The security analysts identified that Asia has a high incident rate with between 16% and 20% of cyber-security incidents related to API insecurity. This is likely due to the rapid digital transformation happening across Asia, especially in regard to mobile, as the majority of digital transactions in Asia are done through mobile. 

 How are businesses getting API security so wrong? 

An API is the invisible connective tissue that allows applications to transfer data to enhance end-user experiences and results. "The growing security risks associated with APIs correlate with the proliferation of APIs," says Lebin Cheng, vice president of API security for Imperva. 

"The volume of APIs used by businesses is growing rapidly — nearly half of all businesses have between 50 and 500 deployed, either internally or publicly, while some have over a thousand active APIs." 

Businesses are frequently failing to secure APIs, with 95% of enterprises suffering an API security incident in the last 12 months, and 34% acknowledging they lack any kind of API security methodology— despite running APIs in production. 

“Many organizations are failing to protect their APIs because it requires equal participation from the security and development teams,” Cheng explained. “Historically, these groups have been at odds —security is the party of no, and devops is irresponsible and moves too fast. In order to address these challenges, security leaders have to enable application developers to create secure code using technology that is lightweight and works efficiently." 

 Tips for enhancing API security: 

Imperva recommended organizations adopt API governance by monitoring endpoints beyond their organizations. They should also monitor the data flowing through them to ensure that sensitive information is protected. 

Any methodology that security teams implement should include API discovery and data classification. This way, security experts can identify the schema of APIs, while spotting and classifying the data that passes through it, while employing testing to unearth any potential vulnerabilities.

Google: 5-year-old Apple Flaw Exploited


Google Project Zero researchers have revealed insights into a vulnerability in Apple Safari that has been extensively exploited in the wild. The vulnerability, known as CVE-2022-22620, was first patched in 2013, but experts identified a technique to overcome it in 2016. 

Apple has updated a zero-day vulnerability in the WebKit that affects iOS, iPadOS, macOS, and Safari and could have been extensively exploited in the wild, according to CVE org. 

In February, Apple patched the zero-day vulnerability; it's a use-after-free flaw that may be accessed by processing maliciously generated web content, spoofing credentials, and resulting in arbitrary code execution ."When the issue was first discovered in 2013, the version was patched entirely," Google Project Zero's Maddie Stone stated. "Three years later, amid substantial restructuring efforts, the variant was reintroduced. The vulnerability remained active for another five years before being addressed as an in-the-wild zero-day in January 2022." 

While the flaws in the History of API bug from 2013 and 2022 are fundamentally the same, the routes to triggering the vulnerability are different. The zero-day issue was then reborn as a "zombie" by further code updates made years later. 

An anonymous researcher discovered the flaw, and the corporation fixed it with better memory management. Maddie Stone examined the software's evolution over time, beginning with the code of Apple's fix and the security bulletin's description of the vulnerability, which stated that the flaw is a use-after-free flaw. 

“As an offensive security research team, we can make assumptions about the main issues that current software development teams face: Legacy code, short reviewer turn-around expectations, under-appreciation and under-rewarding of refactoring and security efforts, and a lack of memory safety mitigations” the report stated. 

"In October, 40 files were modified, with 900 additions and 1225 removals. The December commit modified 95 files, resulting in 1336 additions and 1325 removals," Stone highlighted. 

Stone further underlined the need of spending appropriate time to audit code and patches to minimize instances of duplication of fixes and to understand the security implications of the modifications being made, citing that the incident is not unique to Safari.

A New Regulation Seeks to Secure Non-HIPAA Digital Health Apps


A guideline designed and distributed by several healthcare stakeholder groups strives to secure digital health technologies and mobile health apps, the overwhelming majority of which fall outside of HIPAA regulation. 

The Digital Health Assessment Framework was launched on May 2 by the American College of Physicians, the American Telemedicine Association, and the Organization for the Review of Care and Health Applications. The methodology intends to examine the use of digital health technologies while assisting healthcare leaders and patients in assessing the factors about which online health tools to employ. Covered entities must also adopt necessary administrative, physical, and technical protections to preserve the confidentiality, integrity, and availability of electronically protected health information, according to the Health Insurance Portability and Accountability Act Rules. 

Healthcare data security was never more critical, with cyberattacks on healthcare businesses on the rise and hackers creating extremely complex tools and tactics to attack healthcare firms. Before HIPAA, the healthcare field lacked a universally agreed set of security standards or broad obligations for protecting patient information. At the same time, new technologies were advancing, and the healthcare industry began to rely more heavily on electronic information systems to pay claims, answer eligibility issues, give health information, and perform a variety of other administrative and clinical duties. 

Furthermore, the Office for Civil Rights at the Department of Health and Human Services has enhanced HIPAA Rule enforcement, and settlements with covered businesses for HIPAA Rule violations are being reached at a faster rate than ever before. 

"Digital health technologies can provide safe, effective, and interacting access to personalized health and assistance, as well as more convenient care, improve patient-staff satisfaction and achieve better clinical outcomes," said Ann Mond Johnson, ATA CEO, in a statement. "Our goal is to provide faith that the health and wellness devices reviewed in this framework meet quality, privacy, and clinical assurance criteria in the United States," she added. 

Several health apps share personal information with third parties, leaving them prone to hacks. Over 86 million people in the US use a health or fitness app, which is praised for assisting patients in managing health outside of the doctor's office. HIPAA does not apply to any health app which is not advised for use by a healthcare provider. 

The problem is that the evidence strongly suggests the app developers engage in some less-than-transparent methods to compromise patient privacy. Focusing on a cross-sectional assessment of the top tier apps for depression and smoking cessation in the US and Australia, a study published in JAMA in April 2019 found that the majority of health apps share data to third parties, but only a couple disclosed the practice to consumers in one‘s privacy policies. 

Only 16 of the evaluated applications mentioned the additional uses for data sharing, despite the fact that the majority of the apps were forthright about the primary use of its data. 

According to the aforementioned study, nearly half of the apps sent data to a third party yet didn't have a privacy policy. But in more than 80% of cases, data was shared with Google and Facebook for marketing purposes. 

Another study published in the British Medical Journal in March 2019 discovered that the majority of the top 24 health education Android applications in the USA linked user data without explicitly informing users. In 2021, a study conducted by Knight Ink and Approov found that the 30 most popular mHealth apps are highly vulnerable to API hacks, which might result in the exploitation of health data. Only a few app developers were found in violation of the Federal Trade Commission's health breach rule. 

The guideline from ACP, ATA, and ORCHA aims to help the healthcare industry better comprehend product safety. "There has been no clear means to establish if a product is safe to use in a field of 365,000 goods, where the great majority fall outside of existing standards, such as medical device regulations, federal laws, and government counsel," as per the announcement. 

The implementation of digital health, covering condition management, clinical risk assessment, and decision assistance, is hampered by a lack of direction. The guide is a crucial step in identifying and developing digital health technologies which deliver benefits while protecting patient safety, according to ACP President Ryan D. Mire, MD. The guidelines were developed using the clinical expertise of ACP and ATA members, along with ORCHA's app assessment experience.

ACP also launched a pilot test of digital health solutions that were evaluated against the new framework in conjunction with the new framework. Mire hopes that the trial will assist providers to identify the most effective features for recommending high-value digital health technologies to patients and identify potential impediments to extensive digital health adoption.

PYSA Ransomware Group: Experts Share In-Depth Details


Since August 2020, the cybercrime group adopted a five-stage system design, with the malware developers prioritizing enhancements to boost the efficiency of its activities, according to an 18-month examination of the PYSA ransomware operation. The GSOC explores the PYSA ransomware inside this Threat Analysis Report. Once the Federal Bureau of Investigation (FBI) informed of the ransomware's increased activity and significant harmful impact early this year, it became known as the PYSA ransomware. 

This includes a user-friendly tool, such as a full-text search engine, to make metadata extraction easier and allow threat actors to easily locate and access victim information. "The group is notorious for thoroughly researching high-value targets before unleashing its operations, compromising business systems, and forcing researchers to pay significant ransoms to retrieve sensitive data," stated PRODAFT, a Swiss cybersecurity firm, in a comprehensive report released last week. 

PYSA, which stands for "Protect Your System, Amigo" and is a descendant of the Mespinoza ransomware, was initially discovered in December 2019 and has since risen to become the third most common ransomware strain reported in the fourth quarter of 2021. The cybercriminal cell is thought to have exfiltrated confidential info linked to as many as 747 individuals since September 2020, until its databases were taken down earlier this January. 

The majority of its victims are in the United States and Europe, and the gang primarily targets the federal, medical, and educational sectors. "The United States was the most-affected country, contributing for 59.2 percent of all PYSA occurrences documented," Intel 471 stated in a review of ransomware assaults observed from October to December 2021. PYSA, like all other malware attacks, is renowned for using the "big game hunting" method of double ransom, which involves making the stolen data public if the victim refuses to comply with the firm's demands. 

Every relevant key is encrypted and assigned the ".pysa" extension, which can only be decoded with the RSA private key given after paying the fee. PYSA victims are claimed to have paid about 58 percent in digital payments to get access to protected data. PRODAFT was able to find a publicly accessible. git folder owned by PYSA operators and designated one of the project's writers as "dodo@mail.pcc," a danger actor based on the commit history thought to be situated in a country that observes daylight savings time.

As per the study, at least 11 accounts are in control of the whole operation, the mass of which was formed on January 8, 2021. However, four of these accounts — t1, t3, t4, and t5 — account for approximately 90% of activity on the management panel of the company. Other operational security failures committed by the group's members allowed a concealed system running on the TOR secrecy network — a server provider ( B.V.) based in the Netherlands — to be identified, providing insight into the actor's techniques. PYSA's infrastructure also includes dockerized containers for global leak servers, database servers, administrative servers, and an Amazon S3 cloud for storing the files, which total 31.47TB.

The panel is written in PHP 7.3.12 by using the Laravel framework and uses the Git version monitoring system to oversee the development process. Furthermore, the admin panel exposes several API endpoints that allow the system to display files, auto-generate GIFs, and scan data, which is used to group stolen victim data into broad categories for simple retrieval. Several or more potential threat groups spent nearly five months within the system of an undisclosed regional US government agency before delivering the LockBit ransomware malware at the start of the year, as per research from cybersecurity firm Sophos.

Patches for Firefox Updates in an Emergency Two Zero-Day Vulnerabilities 


Mozilla released an emergency security upgrade for Firefox over the weekend to address two zero-day flaws which have been exploited in attacks. The two security holes, identified as CVE-2022-26485 and CVE-2022-26486 graded "critical severity," are use-after-free issues detected and reported by security researchers using Qihoo 360 ATA. 

WebGPU is a web API that uses a machine's graphics processing unit to support multimedia on web pages (GPU). It is used for a variety of tasks, including gaming, video conferencing, and 3D modeling. 

Both zero-day flaws are "use-after-free" problems, in which a program attempts to use memory that has already been cleared. When threat actors take advantage of this type of flaw, it can cause the program to crash while also allowing commands to be executed without permission on the device.

According to Mozilla, "an unanticipated event in the WebGPU IPC infrastructure could escalate to a use-after-free and vulnerable sandbox escape." 

Mozilla has patched the following zero-day vulnerabilities: 

  • Use-after-free in XSLT parameter processing - CVE-2022-26485 During processing, removing an XSLT argument could have resulted in an exploitable use-after-free. There have been reports of cyberattacks in the wild taking advantage of this weakness. 
  • Use-after-free in the WebGPU IPC Framework - CVE-2022-26486 A use-after-free and exploit sandbox escape could be enabled by an unexpected event in the WebGPU IPC framework. There have been reports of attacks in the wild that take advantage of this weakness. 
Since these issues are of extreme concern and are being actively exploited, it is strongly advised to all Firefox users that they upgrade their browsers right away. By heading to the Firefox menu > Help > About Firefox, users can manually check for new updates. Firefox will then look for and install the most recent update, prompting you to restart your browser.

Hackers Linked to Palestine Use the New NimbleMamba Malware


A Palestinian-aligned hacking organization has used a novel malware implant to target Middle Eastern governments, international policy think tanks, and a state-affiliated airline as part of "highly focused intelligence collecting activities." The discoveries by Proofpoint researchers detail the recent actions of MoleRATs in relation to a renowned and well-documented Arabic-speaking cyber organization, and the ongoing installation of a new intelligence-gathering trojan known as "NimbleMamba." 

To verify all infected individuals are within TA402's target zone, NimbleMamba employs guardrails. The Dropbox API is used by NimbleMamba both to control and also data leakage. The malware also has a number of features that make automated and human analysis more difficult. It is constantly in creation, well-maintained, and is geared to be employed in highly focused intelligence collection programs. 

MoleRATs, also known as TA402, operators are "changing the methodologies while developing these very neatly done, specialized and well-targeted campaigns," according to Sherrod DeGrippo, Proofpoint's vice president of threat analysis and detection. 

Reportedly, TA402 sends spear-phishing emails with links to malware distribution sites. Victims should be inside the scope of the attack, otherwise, the user will be rerouted to credible sources. A version of NimbleMamba is dumped on the target's machine inside a RAR file if its IP address fulfills the selected targeted region. Three separate attack chains were discovered, each with minor differences in the phishing lure motif, redirection URL, and malware-hosting sites. 

In the most recent attacks, the perpetrators pretended to be the Quora website in November 2021. The customer would be rerouted to a domain that served the NimbleMamba virus if the target system's IP address fell under one of around two dozen geofenced country codes. The user would be sent to a respectable news source if this was not the case. 

Another effort, launched in December 2021, employed target-specific baits including medical data or sensitive geopolitical information, and delivered malware via Dropbox URLs.

In yet another campaign, which ran from December to January, the hackers employed different baits for each victim but delivered malware via a hacker-controlled WordPress URL. The hacker-controlled URL only enabled attacks on targets in specific nations. 

NimbleMamba contains "various capabilities intended to confuse both automatic and manual analysis," reiterating that the malware "currently being produced, is well-maintained, and tailored for use in highly focused intelligence collection programs," the researchers told. 

400,000 German Students Data Exposed due to API Flaw


A newly found API issue in Scoolio, a school software used by 400,000 German students, has exposed the personal information of those kids. Lilith Wittmann of the IT security collective Zerforchung discovered the issue and notified the applications team immediately. 

Scoolio employs targeted advertising based on data collected from users, the majority of whom are students, without their knowledge or permission. It does, however, assert that it does not collect any user information. 

Scoolio's API shortcomings, as per Wittmann's report, facilitate information extraction based on the user ID. Anyone who uses this technique can obtain the user's username, email address, GPS history, school name and class, interests, UUID data, and personal information such as origin, religion, gender, and so on. 

Furthermore, the researcher also gave a fake representation of the data types affected by the issue. 

The researcher also noted that the API patch to avoid data leak was relatively straightforward and that it arrived in 30 days, on October 25, 2021, after they were notified of the issue on September 21, 2021. She goes on to say that it is impossible to say how many students were affected as Scoolio inflates user statistics. The app's creators have produced an official paper outlining the patch and have confirmed it. 

Scoolio provides users with tools for managing time, homework planning, staying in touch with friends, and even contacting firms for job vacancies or internship options. The business behind this one collaborated with several German schools and marketed it as a remote teaching support software. It was created with funding from three state-owned investment groups: SIB Innovations und Beteiligungsgesellschaft mbH, Technologiegründerfonds Sachsen, and Kreissparkasse Bautzen, so many students are compelled to use the software as a result of collaborations and government initiatives endorsing the same. 

The fundamental issue is that no security flaws are being audited. An initiative dubbed "EduCheck Digital" (EDCD) that began in August is attempting to evaluate which instructional media fulfills German data protection requirements and have the green signal for usage in schools. 

"I would like to thank Ms. Wittmann for the information and the SDS for the exchange and thank you for your feedback on our security measures," Danny Roller, CEO, and founder of the Scoolio app shared in a statement. 

"Fortunately, after extensive testing, we can confirm that No user data was intercepted by third parties before the investigation by Ms. Wittmann and we have successfully closed the gaps found."

Payment API Flaws Exposed Millions of Users’ Data


Researchers discovered API security flaws impacting several apps, potentially exposing the personal and financial information of millions of consumers. 

According to CloudSEK, around 250 of the 13,000 apps published to its BeVigil "security search engine" for mobile applications utilize the Razorpay API to conduct financial transactions. 

Unfortunately, it was discovered that about 5% of these had disclosed their payment integration key ID and key secret. This is not an issue in Razorpay, which caters over eight million businesses, but rather with how app developers are misusing their APIs.

Many of the applications exposing API keys have over a million downloads, including those in health and fitness, eCommerce, travel and hospitality, healthcare, and pharma. The applications are based in India, where CloudSEK is also situated. Here is a list of the applications that are affected:
  • One of India’s leading steel trading companies
  • Online grocery app 
  • Nepalekart (Instant Recharge to Nepal): Now remediated 
  • Top education app in south India 
  • Gold merchant 
  • Health app 
The company explained, “When it comes to payment gateways, an API key is a combination of a key_id and a key_secret that are required to make any API request to the payment service provider. And as part of the integration process, developers accidentally embed the API key in their source code. While developers might be aware of exposing API keys in their mobile apps, they might not be aware of the true impact this has on their entire business ecosystem.” 

“CloudSEK has observed that a wide range of companies — both large and small — that cater to millions of users have mobile apps with API keys that are hardcoded in the app packages. These keys could be easily discovered by malicious hackers or competitors who could use them to compromise user data and networks.” 

The compromised data might include user information such as phone numbers and email addresses, transaction IDs and amounts, and order and refund details. 

Furthermore, since similar apps are typically linked with other programmes and wallets, CloudSEK cautioned that much more could be at risk. 

According to the organization, malicious actors may utilise the leaked API information to execute mass purchases and subsequently start refunds, sell stolen information on the dark web, and/or conduct social engineering operations such as follow-up phishing campaigns. 

All ten of the compromised APIs have now been disabled. Nonetheless, CloudSEK encouraged developers to consider the possible effect of such vulnerabilities early in the development process.  

This is due to the fact that invalidating a payment integration key would prevent an app from functioning, resulting in substantial user friction and financial loss. 

CloudSEK concluded, “Given the complexities of regenerating API keys, payment providers should design APIs such that, even if the key has not been invalidated, there are options to minimize the permissions and access controls of a given key.” 

“App developers should be given a mechanism to limit what can be done using a key at a granular level, like AWS does. AWS has put in place identity and access management (IAM) policies that can be used to configure the permissions of every operation on an S3 bucket. This practice should be more widely adopted to minimize what threat actors can do with exposed API keys.”

Indian Security Researcher Finds Starbucks API Key Exposed on GitHub

Developers at Starbucks left an API (Application Programming Interface) key exposed to hackers with no password protection that could have been used by them to gain access to internal systems and consequently manipulate the list of authorized users. Hackers could have exploited the vulnerability in several ways which allowed them to execute commands on systems, add or remove the listed users and AWS account takeover.

The key was discovered by Vinoth Kumar who is an India security researcher, he happened to locate the open key in a public GitHub repository and responsibly reported it to Starbucks on 17th October via HackerOne vulnerability coordination and bug bounty platform. While reporting the same, HackerOne told, “Vinoth Kumar discovered a publicly available Github repository containing a Starbucks JumpCloud API Key which provided access to internal system information.”

“While going through Github search I discovered a public repository which contains JumpCloud API Key of Starbucks.” the expert himself told.

The key would have allowed an attacker to access a Starbucks JumpCloud API and hence the severity of the flaw was all the way up to critical. Colorado-based JumpCloud is an Active Directory management platform that offers a directory-as-a-service (DaaS) solution that customers employ to authorize, authenticate and manage users, devices, and applications. Other services it provides include web app single-on (SSO) and Lightweight Directory Access Protocol (LDAP) service.

The issue had been taken into consideration by Starbucks very early on, however, Kumar tends to take note of the same on October 21 and told that the repository had been taken down and the API key had been revoked. As soon as the company examined Kumar's proof-of-concept of the flaw and approved of the same, the expert was rewarded with a bounty worth US$4,000 for responsibly disclosing the vulnerability.

While commenting on the matter, Starbucks said, “Thank you for your patience! We have determined that this report demonstrates “significant information disclosure and is therefore eligible for a bounty,”

“At this time, we are satisfied with the remediation of the issue and are ready to move to closure. Thank you again for the report! We hope to see more submissions from you in the future.”

Twitter API Bug Enables Third Party Access to User Data

An API bug found earlier this month that could host unapproved third-party developers in order to gain access to the user's information on Twitter was as of late looked for and removed by the said social networking site.

The bug was said to affect the permission dialog while approving and authorizing certain applications to twitter and left direct messages to be exposed to the third party without the user's knowledge. Instead of the OAuth token-based method, bug manifested with applications that require a PIN to finish the authorization procedure.

Terence Eden, who found the issue and thusly reported it to Twitter describes it as one coming directly from the official Twitter API keys and the privileged insights being uninhibitedly accessible, enabling the application developers to get to the Twitter API even without the administration's approval.

In spite of the fact that Twitter upheld a few confinements to anticipate imitating the official applications by utilizing the keys to divert to an alternate application than the one they are related with. They utilized a strategy to limit 'callback URLs', so a developer couldn't utilize the API keys with their application.

Yet, shockingly this assurance was not comprehensive, since some applications don't utilize a URL, or they may not bolster call-backs and for these, Twitter at that point resorts to a secondary, PIN based, approval system. Later on, Eden saw that the applications did not demonstrate the correct OAuth details to the user. For reasons unknown, the discourse wrongly informed the user that the application could not be able to access the direct messages, although the inverse was valid.

The researcher submitted his discoveries through HackerOne on November 6 and the issue was acknowledged around the same time subsequent to giving elucidations and exhibiting the privacy violation problem.

Nonetheless Twitter settled the issue on December 6 subsequently informing the analyst that he could distribute the subtleties of his report.