CloudVector
Get a Demo

API Data Breaches in 2020

As we near the end of Year 2020, it is time for us to look back and review some of the major API-related data breaches and/or data leakage vulnerabilities in the past year. Before we get into the specifics, it is worth noting a few important facts about these API data breaches:

 

  1. Vulnerabilities in apps handling API data are the direct cause of these breaches. Nothing else is to blame. 

  2. Access management gateways implementing strict authentication/authorization would NOT have prevented any of these breaches

  3. Gateways and/or firewalls implementing format validation and/or pattern recognition-based inspection would NOT have detected any of these breaches, let alone prevented them. All illicit API requests in these breaches are cleverly crafted to appear entirely “valid” to existing security devices that do not have the capability to examine app-specific data values in transit.

 

So, if you care about your data, especially data being accessed via APIs, it is time to look beyond your access management gateways or web application firewalls. In the new year, organizations need to resolve to gain visibility into data in transit via APIs.

 

Here is the list of data breaches and what went wrong:

 

VMWare Workspace ONE API Could Be a Vector in SolarWinds Breach: The SolarWinds related breach showed us that infrastructure behind a perimeter can be exploited when a breach allows attack actors to move laterally. CloudVector will provide a more detailed analysis in a future blog. 

 

Ledger Customer Data Breach: Ledger is a French cryptocurrency hardware wallet company. While the wallets and cryptocurrencies are well protected, a 3rdParty API misconfiguration ended up leaking personal data of their customers. 

 

YouTube API flaws: When uploading a video in Video Builder, the tool showed a list of channels owned by the account and allowed the user to pick the channel they wanted. By using API directly to send a different channel ID than the one owned by the user, it is possible to upload the video under a different user. YouTube did not verify permissions and uploaded the video to the specified channel.

 

Twitter Fleet APIs allow Access to Older Tweets: Twitter Fleets are the posts that have to disappear in 24 hours. However accessing these fleets from public accounts showed that the tweets were actually filtered at the UI level. Even worse, when these expired Fleet APIs are accessed, read notifications do not appear for the old tweets, leaving owners in the dark. 

 

Tesla Backup Gateway APIs (multiple vulnerabilities): Backup Gateways determine when to charge the batteries, when to send the power back to the power grid, and what combination of solar, battery, and grid energy to use to power the house. The gateways are connected to the internet and expose API endpoints. Some of the APIs do not require authentication, and thus publicly expose data on the individual installation, such as energy consumption and production data, display name, country and state, name of the utility company and so on. Data such as display names can be configured by the user to contain identifiable information. 

 

Prestige Software S3 API access exposure: Used by many hotels to integrate their reservation system with bookings.com and expedia.com, they had a misconfigured S3 open for API access, exposing millions of private customer records. 

 

AWS Resource-Based Policy APIs had information leakage: Researchers found that 22 APIs across 16 different AWS services could be exploited to leak Identity and Access Management (IAM) users and roles. For an improved user experience, AWS attempts to help users avoid mistakes when creating often complex resource-based policies and calls APIs to validate various fields present in the policy. This also means that an attacker could use API calls to determine which identities (users and roles) exist for the account. To make matters worse, the messages on any failures appear in the attacker’s account logs. Nothing is logged in the target account, so victims do not even detect that they are under attack.

Thrillophilia API Flaw Exposing Millions of Customer records: A Bengaluru-based trip planning website was found to allow any visitor to login and then bypass the visitor email to obtain sensitive data of other users. 

 

Waze Allowing Random User Tracking: The popular traffic app’s API would allow anyone to track sensitive location data of other users. 

 

Gitlab Backdoor API Exposes Private Projects: No further explanation needed. The title said it all. 

 

Shopify Insider Leveraged Order APIs to Obtain Millions of Customer records: Order APIs intended to be used by merchants were used to steal millions of customer recorders.

 

Mercedes Benz Car Control Vulnerabilities (multiple) : Researchers got access to the backend intranet through the eSIM of a Mercedes-Benz E-Class connected car. To get connected, they had to reuse the APN settings, spoof IMEI numbers, and locate and reuse certificates. However, once they got through these hurdles and managed to establish the connection, they found that the APIs themselves were not protected at all.

 

MGM Grand hotel and casino data breach: This happened in 2019 but the data appeared on the dark web when a hacker posted an advertisement on a dark web cybercrime marketplace. It looks like the information ended up on the dark web because of a data leak at Data Viper, a security platform used by MGM which had lost its database as a result of poor API secure coding practices.

 

Cisco Data Center Network Manager Authentication Bypass Vulnerability: A vulnerability in the REST API of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability exists because different installations share a static encryption key. A successful exploit could allow the attacker to perform arbitrary actions through the REST API with administrative privileges. It is not suggested to use a static or hard-coded API key. This is a poor security practice, susceptible to key interception and re-use.

 

Google Analytics API used as Attack Vector to exfiltrate data: Content Security Policy (CSP) is a useful tool for protecting web applications against client-side vulnerabilities and Magecart attacks. CSP is not really compatible with Google Analytics APIs. Google Analytics is widely used on websites to gather statistics and data for business decisions, and thus its domain is typically placed in the allowlist of the CSP. In a way, this opens a backdoor to CSP. To exfiltrate data, attackers just need to call Google Analytics APIs and ship the data to their Google Analytics account. The domain of this call is identical to any other Google Analytics call, only the tag parameter is different. This is not enough for CSP to use as a discriminator, so the call goes through without any problem. This is another story to keep in mind whenever a third-party API is in use.

 

Google Firebase blunder exposes data through estimated 24,000 Android apps: An unsecured API accessed the Firebase cloud storage used by estimated 24,000 Android apps. The vulnerability was not really a vulnerability in Firebase itself, but how a lot of Android developers set up and use Firebase. As Firebase is a cross-platform tool, the impact might not be limited to just Android. Because the platform is cloud-based, there unfortunately is room for dire consequences if its security is configured poorly. The leaky deployments exposed REST APIs that allowed attackers to download end user data through GET requests, and even make changes to the data with PUT requests.

Account Takeover Vulnerability in Microsoft Teams: By leveraging a subdomain takeover vulnerability in Microsoft Teams, attackers used a malicious GIF to scrape users’ data and ultimately take over an organization’s entire Teams accounts. This is a great illustration of the dangers of wildcards in URLs, token exchange, and the power that APIs can give to attackers once they get past authentication.

Personal data of 1.41m US doctors sold on hacker forum: Hackers used insecure APIs behind the website qa.findadoctor.com to scrape information on 1.4 million doctors in the US. While the information was public on the site itself, the unprotected API allowed downloading all of it and making it available in a structured form. All of this data can be used in making further attacks.

Third party app used by top EU merchants exposed 8 million sales records:  An unprotected database was found to be leaking 8 million shopping records from big names in European e-commerce, including Amazon UK, Ebay, Shopify, PayPal, and Stripe. The leaky database belonged to an API vendor that assisted merchants in aggregating sales and refund data from multiple marketplaces, and calculating value-added tax (VAT) for cross border sales in the EU. This incident shows the dangers associated with exposing your data through APIs to third parties.

 

Facebook Lets Any User  Change the User Name of Any Facebook Page: A misconfigured GraphQL API was found to be vulnerable. Strictly speaking, not a direct data leakage, but bad actors could have used such a vulnerability to impersonate others to gain access to private information. 

 

CapitalOne Fined 80 Million: The incident happened in 2019, but the penalty was finally determined this year. The bad actor leveraged a stolen credential to access S3 buckets via APIs, stealing millions of highly sensitive records undetected. All state-of-art data encryption and protection measures were in place. None of them even triggered an alert. 

 

Starbucks Gift-card Holders can Trick the Website to Allow Search of Internal Starbucks Customer Records: This direct access bypass was achieved using a guest account by changing some web API input.

 

VMware Admin API Account Takeover Vulnerability: This may not have been a direct data breach, but much has been running on top of VMs. Admin access could have led to serious data breaches. 

 

Apple Sign-in Service API Vulnerability Allows A User to Impersonate Anyone Else: Yes, it is the Apple Sign-in every Mac or iPhone user uses. 

 

Israeli Voters Personal Information Exposed by an API Vulnerability of the Election App: An estimate of 6.5 million voters were affected in this one. 

 

SoundClouds App had multiple vulnerabilities: such vulnerability of the popular music and audio website would have allowed account take-overs. 

 

Airtel API Flaw Exposing Private Data of Its More Than 300 Million Users: Sensitive Personally Identifiable Information of this large Indian telecom provider operating in 18 countries, such as names, address, and date of birth were all at risk.

OAuth Vulnerability in Login with Facebook Feature: “Login with Facebook” feature follows the OAuth 2.0 Authorization Protocol to exchange the tokens between facebook.com and a third party website. The flaw could allow an attacker to hijack the OAuth flow and steal the access tokens which they could use to take over user accounts. Malicious websites can steal the access_token for the most common apps at the same time and could gain access to multiple services, and third party websites such as Instagram, Oculus, Netflix, Tinder, Spotify, etc. 

Twitter Revealed API exploit: There is an API endpoint which was used to find friends in Twitter by their phone numbers. This end point was abused to mine accounts by mapping them to phone numbers. Detecting and throttling the exploit was hard because the phone numbers were not sequential and attackers used multiple accounts and IP addresses in their attacks. Twitter fixed the issue by changing responses from API so that it no longer returns specific account names. This is a reminder on why generic API end-point level rate limiting is not enough. One needs object level rate limiting to deal with targeted data mining at the object/data level. 

Azure Cloud Infrastructure had two critical vulnerabilities: First , bad actors in Azure Stack used Azure Stack APIs to get the names, IDs, hardware info, and other information on the virtual machines in the cluster. Then they found a way to make another unauthenticated API call to get screenshots from live virtual machines belonging to other tenants. Second ,there was an Azure app service where one of its APIs lacked proper input validation before memory copy. This allowed the researchers to come up with a payload that gave them system admin rights. 

Microsoft OAuth 2.0 Implementation Flaw Led to API Data Leak Risk: This just goes to show you that if authentication/authorization is the only defense, one mistake can lead to complete exposure. 

 

Uber App Can be Tricked to Leak’s Victim’s Sensitive UUID: This was actually disclosed late in 2019, but it is too good to be passed over. A clever under 30 white-hat hacker discovered this API vulnerability before any bad actor did. 

 

Phone Numbers Of 267 Million Facebook Users Shared Online: In December 2019, a database containing millions of phone numbers of Facebook users was shared in an online forum where hackers hang out. How this data got leaked is unknown but one possibility is that the data was stolen from Facebook’s developer API before the company restricted access to phone numbers in 2018.

 

The list can go on. As digitization drives API adoption, many have sounded the alarm that API abuse can be the next major vector causing data breaches. That highly customizable, flexible data layer that makes API so powerful can be exactly what the bad actors need to get to your data that is otherwise locked down. Gaining visibility into the sensitive API data in motion is a critical part in ensuring complete API data security for your enterprise. 

CloudVector is the third start-up Lebin helped bootstrap as a serial entrepreneur. His career of more than 20 years in cybersecurity started as an early engineering team member in IntruVert, a company later acquired by McAfee to bring the industry-leading IntruShield IDS/IPS products. Most recently, Lebin was a co-founder of Netskope, a leader in the Cloud Access Security Broker(CASB) space. Lebin was awarded 14 patents in areas such as network security, application infrastructure, and protocol/API inspection. Lebin holds an MBA degree from the HaaS School of Business of UC Berkeley and a Master of Science in Computer Science degree from Purdue University.