Peloton API Bug: Expert Commentary

<p style=\"font-weight: 400;\">The root cause of the issue is improper authentication, one of the top 10 vulnerabilities hackers find on HackerOne. In fact, we’ve seen the amount organisations pay for improper authentication vulnerabilities increase 36% year over year. When development cycles speed up, there is inevitably going to be a greater chance of introducing vulnerabilities into code so, with the speed of modern development, it’s no surprise vulnerabilities like this keep cropping up. With an obscure domain such as those referenced in this instance, it takes an adversarial approach with proper reconnaissance to identify the assets and the risk they pose to users.</p> <p> </p> <p style=\"font-weight: 400;\">In “Issue 3,” the hacker was able to identify a backend API/system where the vulnerability existed. Since this domain uses graphql, it’s easy to access and enumerate its schema if you have a solid understanding of graphql itself, which many good hackers do. But all of this research hinges on action being taken. Organisations can have the best technology and systems in place, but they’re only so effective without the addition of humans spotting the unexpected and taking immediate action. Therefore, it’s crucial that security teams are empowered to respond to vulnerability reports quickly and effectively to prevent them from being exploited by malicious actors, who could be the next to identify the issue. Having a vulnerability disclosure policy is an important and widely accepted step in ensuring vulnerability findings make it into the right hands to be remediated.</p>