Amazon Ring APIs suffer from Excessive Data Exposure
Amazon’s Ring, the home-security unit, was recently found to expose Personally Identifiable Information (PII) data of their users. As this article outlines, the API query to fetch the published posts contains the publisher’s location information, which can be misused by a malicious actor and thus compromises the security of the victim user.
The vulnerability identified in the Ring APIs, is the classic Excessive Data Exposure (OWASP API Number 3) vulnerability. Typically, APIs affected by this vulnerability return unsolicited fields as part of the API response, hoping that receiving clients or apps filter out unwanted data. However, the excessive information exposed can be manipulated by attackers in nefarious ways as observed in the past: from misusing confidential store identifiers for unauthorized API access, to collecting PII information for identity theft, and so on.
Below, we give a brief description of the vulnerability and then identify three different ways in which the CloudVector solution defends against such an attack, namely:
– Design-time risk assessment of OpenAPI specification
– Leveraging Shadow API policies for automatic detection
– Identifying PII associated APIs through continuously updated API catalogs
Ring launched the Neighbors app in 2018. Users of the app can get notified about posts and possible crime-watch videos associated with their subscribed location. Therefore, when a notification arrives, the app helps view the video posted by another user. To view the post/video, the viewer client launches an API call to the Ring API server. As a result, the API response is sent back to the client app which contains the published post and also the location information of the publisher. This is shown in Figure 1 (credits to the Techcrunch article referenced above).
Figure 1: The app view and API response view of a post
From the figure, we notice API parameters such as latitude, longitude, and address returned as part of the API response payload, despite not being shown to the video viewer. Similar attacks have affected other organizations including USPS in the past.
CloudVector to the Rescue
The CloudVector platform is designed to prevent and defend APIs, especially against the OWASP API Top 10. This is achieved through Discovery, Monitoring, and Policy Enforcement. The discovery phase helps identify API metadata such as PII and other sensitive content being exchanged by APIs (see Figure 2). The platform also guides the security postures at various stages of the API lifecycle including design, development, and deployment. Therefore, protecting against the OWASP API Top 10 attacks becomes that much more effective as security barricades are formed at various stages of the API lifecycle.
Figure 2: PII identification among API calls
For the Excessive Data Exposure vulnerability highlighted in this article, the CloudVector Enterprise Edition Platform can protect in three ways:
– CloudVector provides a tool to review OpenAPI design specifications. With this tool, the user can identify issues at the API design stage such as absence of a secure authorization mechanism or unrestricted input to API parameters. The tool also provides the ability for the user to specify their own rules. Therefore, to counter the vulnerability as described above, the user can enforce API response payloads to never have PII data. This can be enforced through a customized rule for the target service’s OpenAPI specification. With the CICD integration support, any occurrence of the API parameter having PII data results in a violation which causes the build pipeline to fail, and therefore, the vulnerability never creeps into the application.
– In environments where API specifications are not available, a developer-centric process may ensure no PII parameters are being returned as part of the API responses. A regression, however, might occur later in time by the same developer or by another team and therefore the problematic parameters may inadvertently become part of the response. Such a scenario is identified by CloudVector as an occurrence of the Shadow API behavior, where the API behaves in an unexpected way. Out-of-the-box automated policies prevent Shadow API behavior and can detect such transgressions immediately.
– Finally, as mentioned above, the platform helps identify API characteristics such as which parameters carry sensitive information. This information is outlined through API Catalogs which are continuously updated. Such an insight helps filter APIs carrying PII information, which is typically a small fraction of the original set of APIs. Presence of an unexpected API in such a subset should help catch surprises, especially for SecOps-like workflows which rely on catalog metadata for effective function.
We describe the excessive data exposure by Amazon’s Ring APIs for their Neighbour app. The vulnerability exposes PII customer data in the API response. We also identify three different ways in which the CloudVector Enterprise platform helps in defending against this OWASP API #3 attack. The platform also helps prevent against the remaining OWASP API Top 10 vulnerabilities through auto security policies which use API communication context along with machine learning and deep learning. If you would like to know more about how CloudVector Enterprise Edition provides advanced API security to protect sensitive data in transit, please feel free to contact us at firstname.lastname@example.org.