Issue 133: Vulnerable Peloton APIs, API contract generation for .NET


This week, we take a look at the API vulnerabilities discovered at Peloton, how India is locking down the APIs for their COVID vaccination portal, how API contracts can be generated from .NET code, and what API security sessions the upcoming RSA Conference (RSAC) offers.

Vulnerability: Peloton

Peloton is a producer of popular treadmills and stationary bicycles, as wells as a subscription service for training on the equipment. Jan Masters from Pen Test Partners found that the APIs behind the service were highly vulnerable and leaking personal user data.

The information that attackers could get included such details as:

  • User IDs
  • Instructor IDs
  • Group membership
  • Location
  • Workout stats
  • Gender and age

The APIs initially had no authentication at all, but it was silently added after Masters first contacted Peloton. However, there still was no authorization, so anyone with a Peloton ID (and there are more than 3 million of them, and you can self-register!) could still retrieve the data on any other user. This applied even to profiles set as private:

GraphQL vulnerabilities are also involved: besides the main APIs, there were also multiple unprotected GraphQL endpoints.

And, finally, the company could not provide information on whether or not the vulnerability was ever exploited by malicious actors.

Lessons learned:

  • Keep an inventory of all your APIs — there should not be any APIs exposing your production data and systems unbeknownst to you.
  • All APIs must be protected with both authentication and authorization.
  • APIs must not expose more information than strictly necessary for the service or product calling to work properly.
  • Logging and monitoring become really valuable when a breach actually occurs.

API lockdown: Vaccination in India

As you probably know, these are extremely challenging times in India. With the huge spike of COVID cases and overloaded medical systems, there has been a rush for vaccines. This has led to people finding the APIs behind India’s CoWIN vaccination booking portal.

The APIs were originally made public so that private hospitals could integrate them into their systems to facilitate faster vaccination. But with the scrambling for vaccinations, websites, Telegram bots, messenger groups, and so on got created to ping the APIs all the time to find free vaccination slots. As result, each time new slots appeared, they were rapidly taken. A technical capability quickly became a social and governance issue.

Now the CoWIN portal has locked down the API use:

  • Rate limit of 100 API calls per 5 minutes per IP address.
  • Automated bookings through bots or scripts are not possible since bookings can be done only through the CoWIN portal and require entering a one-time password that is sent to the user’s mobile phone.

This is a story of unintended consequences of openness. APIs can be a great enabler, and these APIs were clearly created with the best of intentions. However, make sure that APIs that you create are limited to the target audience that you had in mind and have the security mechanisms (authentication, authorization, data validation, rate limiting, and so on) to protect the intended use.

And needless to say that our hearts go to the people of India and we hope that this crisis goes away as quickly as possible.

Best practices: Generate OpenAPI from .NET annotations

Code-first is the approach in which API contracts and documentation get generated based on the actual implementation code.

In issue 131, we covered how this can be done from Java Spring code. Now it’s time for .NET.

Edgar Silva has written a blog post on using Swashbuckle and NSwag annotations to create high-quality OpenAPI contracts from .NET Core.

For example:

using System.ComponentModel.DataAnnotations;
using System;
 
namespace TodoApi.Models
{
 public class Person
 {
   [Required, RegularExpression("/^[a-zA-Z ]{2,100}$/"),MinLength(5),MaxLength(100)]
   public string firstName { get; set; }
   [Required, RegularExpression("/^[a-zA-Z ]{2,100}$/"),MinLength(5),MaxLength(100)]
   public string lastName { get; set; }
   [Required, Range(1, long.MaxValue)]
   public long id { get; set; }
   [Required, Range(0, 150)]
   public int age { get; set; }
 }
}

If you work with .NET, do check it out!

Conferences: AppSec Village at RSAC 2021

As with all the industry events these days, RSA Conference 2021 (May 17—20) has had to go virtual. If you are taking this opportunity to get some great content from the comfort of your home office, check out the API security sessions of the AppSec Village track.

This includes some great presenters, such as Erez Yalon, David Sopas, Tanya Janca, and others. A full conference pass is required.


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy