API Security Weekly: Issue #28

This week, we check out the details of the recent API vulnerabilities in Tchap, Shopify, and JustDial. Elsewhere, Gartner reports a whopping 77 percent increase in inquiries on API security. And finally, we take a look at how an API’s OpenAPI definition can be the foundation for API security.

Vulnerabilities

Tchap

Tchap is a messaging app that the French government released for internal use. It was hailed as a more secure replacement for Telegram and WhatsApp. And ironically enough, it got hacked in just one hour:

1. The sign-up API had an email address parameter that didn’t validate the input format.
2. A security researcher, Elliot Alderson, submitted fs0c131y@protonmail.com@elysee.fr as the address.
3. The code simply verified that the address ended with @elysee.fr, which is a government email domain.
4. The check was successful, and Tchap sent a verification email that got delivered to fs0c131y@protonmail.com belonging to the attacker.
5. The attacker could click the confirmation link, get in, and be able to get into the internal government chat rooms.

To prevent the attack, developers should have defined a strict regular expression for the email address field of their API and enforced the limitation.

Shopify

Ayoub Fathi found an Insecure Direct Object Reference (IDOR) vulnerability in the API of Shopify Exchange App. The issue — now fixed by Shopify — affected about 8,700 stores and exposed all their revenue and traffic data.

IDOR vulnerability is basically about the lack of authorization. Attackers register and get valid credentials for authentication. However, instead of just accessing their own records, attackers then modify API calls to access other users’ data. For example, API calls might include some sort of ID parameter that attackers can modify to try various combinations. In this particular case, these were the online stores using Shopify that the researcher found through DNS.

Ayoub published a very detailed write-up including his scripts, the way he was doing DNS reverse lookups, and so on.

JustDial

India’s number one local search service, JustDial, had an unprotected API that leaked personal data of all its 100 mln+ users. Seems that when the company redesigned its apps, the old API was left running, unprotected, and with access to the user database.

Vulnerabilities like this one happen when companies pay attention to their applications but not to the underlying APIs. From JustDial’s perspective, their security was fine because their application was secure. The old API that still existed and had access to their data was simply not on their radar. Considering the wide adoption of API-based application architectures, this mindset needs to change in every company.

Analysts and trends

Gartner’s latest Application Security Testing magic quadrant report has some interesting internal statistics. In 2018, Gartner observed:

• 77 percent increase over the year on inquiries from end-user clients about API security
• 55 percent increase on inquiries about container security
• 34 percent increase on inquiries about DevSecOps

Tools

TheNewStack is running my story on how developers can improve the security of their API contracts by auditing the security of the OpenAPI definition of their API.

You can subscribe to this newsletter at https://apisecurity.io.