400,000 Users Exposed By API Vulnerability – Expert Comment

BACKGROUND:

In response to Scoolio’s API flaw that exposed the data of 400,000 German students, Information Security experts commented below.

Subscribe
Notify of
guest

4 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Ilia Kolochenko
Ilia Kolochenko , Founder and CEO
InfoSec Expert
October 29, 2021 10:58 am

<p>Most of the modern web applications have serious vulnerabilities in their APIs and web services. Some vulnerabilities allow executing remote code and taking full control of the remote system. Such security flaws are usually undetectable by automated scanning tools due to their exploitation complexity. Few software developers have the requisite security skills to make complex cross-application eco-systems secure, while usage of a multi-<span class=\"il\">cloud</span> environment and containers boosts complexity and exacerbates the situation.</p>
<p>This specific incident may trigger serious legal ramifications under GDPR, moreover, the unreasonably long period to fix a fairly simple flaw will likely cause a higher fine if competent DPA decides to impose monetary penalties. The sensitive nature of the exposed <span class=\"il\">data</span>, if misappropriated by cybercriminals, can foster targeted phishing campaigns, identity theft and financial fraud.<u></u><u></u></p>
<p>All companies that operate large web systems, that handle personal or other types of regulated <span class=\"il\">data</span>, should consider implementing a Secure-SDLC program that would include, among other things, continuous security monitoring and regulation penetration testing. Systems like WAF or RASP can be used to timely detect and prevent exploitation of vulnerabilities while developers are working on patches.</p>

Last edited 1 year ago by Ilia Kolochenko
Trevor Morgan
Trevor Morgan , Product Manager
InfoSec Expert
October 29, 2021 10:41 am

<p>APIs provide easy interfaces between applications, enabling the exchange of data and flow of information. As such, APIs are a convenience that modern application ecosystems cannot do without. Unfortunately, the API flaw discovered within Scoolio many have inadvertently exposed the sensitive data of thousands of users. The incident reveals that human error—whether misconfigurations during deployment and operations, or bugs and flaws during design and development—all too often fuels breaches in data privacy.</p>
<p>Software development organizations are encouraged to maintain rapid and highly agile cadences, meaning that they develop working code quickly throughout shorter cycles in order to meet minimum functional requirements, then flex and adapt according to dynamic user demands. Refinement of functioning software comes in subsequent iterations of the code. Nobody wants development teams to work more slowly, but at the same time cadence cannot be maintained at the expense of proper security design and testing. The Scoolio incident should encourage every software development organization and team to move security from an overlay function at the tail end of the development cycle to a critical component of the initial design and planning phase.</p>

Last edited 1 year ago by Trevor Morgan
Eoin Keary
Eoin Keary , CEO and Cofounder
InfoSec Expert
October 29, 2021 10:39 am

<p><span class=\"il\">API</span> Security is still not as mainstream as web application security. Although the technologies are very similar and convergence is underway, the challenge is both in tooling and approach.</p>
<p>The majority of web security tooling is not suited to easily and adequately test <span class=\"il\">API</span>’s for security issues – this is certainly part of the problem, inadequate security assurance within the <span class=\"il\">API</span> development lifecycle.</p>
<p>Encryption of the leaked data is irrelevant assuming the exposure was via the <span class=\"il\">API</span>, and even if it was encrypted an injection attack against the <span class=\"il\">API</span> would decrypt the data the same as a legitimate request.</p>
<p>Continuous security testing has become the standard to help pick up such weaknesses. What is also important to note is that if the vulnerability was a “logical weakness” as opposed to the “technical weakness” security tooling generally would not discover such an issue. Logical weaknesses take human intelligence to discover, a shortfall of an entirely automated approach to cyber security.</p>

Last edited 1 year ago by Eoin Keary
Nathanael Coffing
Nathanael Coffing , CSO and Co-founder
InfoSec Expert
October 29, 2021 10:37 am

<p>As today’s enterprises increasingly turn to application programming interfaces (APIs) to enhance user experience and drive innovation, they often overlook the need to protect these services with fine-grained authorization and consent. In this case, the exposed data was more than enough for cybercriminals to launch highly targeted phishing attacks against the impacted users. Any organization responsible for consumers’ personally identifiable information (PII) must prioritize implementing proper security guardrails to mitigate data leakage and exposure risks. Enforcing context-based granular authorization on all APIs and externalizing it from the API code prevents hackers from attacking flaws that expose sensitive personal information and ensures authorization and consent safeguards cover all users.</p>

Last edited 1 year ago by Nathanael Coffing
Information Security Buzz
4
0
Would love your thoughts, please comment.x
()
x