Robocall Legal Advocate Leaks Customer Data

Brian Krebs reported that thousands of documents, emails, spreadsheets, images and the names tied to countless mobile phone numbers all could be viewed or downloaded without authentication from the domain theblacklist.click.  The directory also included all 388 Blacklist customer API keys, as well as each customer’s phone number, employer, username and password.

Subscribe
Notify of
guest

1 Expert Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Matt Keil
Matt Keil , Director of Product Marketing
InfoSec Expert
August 5, 2020 7:59 pm

This is a perfect example of how an API can be used to foster partnerships, but lacking in execution with all too common API authentication errors being made. API keys are a good start, but stronger authentication may be in order to protect the customer data. The more significant error was exposing the API keys in a publicly accessible storage mechanism. These types of errors seem to occur weekly. Do the developers really understand the ramifications of public-facing APIs and data? It\’s exposed to everyone. It\’s a simple question, but what else can explain the repetitive nature of these basic errors?

Last edited 2 years ago by Matt Keil
Information Security Buzz
1
0
Would love your thoughts, please comment.x
()
x