API Security Weekly: Issue #29

This week, we look into the latest API vulnerabilities in cars, Nagios, and Portainer, as well as different OAuth 2.0 attack scenarios, and the time it takes for attackers to find new API endpoints.

Vulnerabilities and Breaches

Some car owners install hardware GPS tracking devices in their vehicles. These are accessed and managed through mobile apps. Two such apps called iTrack and ProTrack got hacked with about 7,000 and 20,000 users affected respectively. Both of these apps had cloud APIs behind them, had the default password set to 123456, and the API allowed brute force ID enumeration. Attackers could get information on both the car and its owner, such as location, owner name, phone number, address, model, make, IMEI number, etc. With some tracker models, the attackers could have even sent commands to the vehicle, for example, to kill the engine.

A popular system and network monitoring solution, Nagios XI, had a SQL injection vulnerability in its APIs. The API did not sufficiently validate input that users supplied, and attackers could exploit this by making an API call using fusekeys and a malicious user ID. A successful SQL injection can serve as the starting point for further attacks. If you are using Nagios:

• Upgrade to Nagios XI 5.5.11 or later
• Limit API access to trusted users, trusted networks, and trusted hosts

A popular Docker management tool, Portainer, had an unauthenticated /api/settings API. The system was storing LDAP credentials in cleartext and leaking them out through this endpoint. An unauthenticated remote attacker could have used the API to get the password to the LDAP directory and obtain sensitive information.

Technology 101: OAuth 2.0

For an entertaining introduction to OAuth 2.0, watch this brilliant video by Jim Manico.

After that, check out these common OAuth 2.0 attack scenarios:

• Authorization code reuse
• Unvalidated redirect URI
• Cross-site request forgery with OAuth Client
• Access token as part of the URI

See also OAuth 2.0 threat catalog and IETF best practices recommendations in our earlier issue.

Threat Landscape

How long does it take for attackers to find your API and try to exploit it?

Sophos set up honeypots in multiple cloud environments and data centers, collected data on them, and published their results.

In one of the cases, it only took 52 seconds for the honeypot to be tried with credentials combinations like admin/admin!

The moral of the story?

• Security by obscurity simply does not work.
• Don’t use easy or default user names and passwords.
• Disable the interfaces you don’t need.
• Use key-/certificate-/device-based authentication whenever possible.

You can subscribe to this newsletter at apisecurity.io.