Issue 219: Money Lover app exposes user data, most web API flaws missed by standard testing

This week, we have news of a recent vulnerability in the Money Lover finance app, and a report into a recent vulnerability in Toyota vehicles, which, according to Toyota, did not result in malicious access. We have an article featuring the views of popular contributor Corey Ball on missing API flaws by using conventional testing and, finally, an update on Twitter’s ongoing efforts to thwart the rise of bots on their platform.

Vulnerability: Money Lover app exposes user data

First up this week is coverage from Dark Reading on a potential vulnerability in the “Money Lover” app developed by Vietnam-based Finsify. The app is a tool for managing personal finances and has a 4.6-star rating from over 1,000 reviewers. According to researchers at Trustwave, the app leaked no actual bank account or credit card details but warned that the financial institution could suffer a reputation hit.

The problem was identified by Trustwave researcher Troy Driver who discovered a problem with Money Lover’s security when routing its traffic through a proxy server. Email addresses, wallet names, and live transaction data for each shared wallet were visible to him. The researcher does not reveal the precise details of the vulnerability discovered. However, this has all the hallmarks of broken access control, either broken object-level authorization or broken user authentication. The fact that user information is divulged also indicates the presence of an excessive data exposure flaw.

Readers of this newsletter know only too well both the prevalence and impact of these API vulnerabilities. In this example, the vulnerability was trivially found using a reverse proxy. Although no significant account data was divulged in this example, such vulnerabilities can give an attacker a real foothold into an app for further more targeted or sophisticated attacks. Even in this example, email information was leaked which can form the basis of a targeted phishing campaign targeting users of the app.

Users are advised to update their Money Lover app to the latest version, where the vulnerability has been fixed as of January 27th, 2023.

Vulnerability: No evidence of malicious access, says Toyota

According to a recent report, Toyota said a security flaw that allowed employees extensive access to a platform they used to manage operations had been fixed. This comes on the back of a publication from security researcher Eaton Zveare who said he was able to take advantage of a poorly secured application programming interface (API) to break into the Toyota GSPIMS system and had full access to internal Toyota projects, documents, and user accounts, including user accounts of Toyota’s external partners/suppliers.

Zveare said he had access to more than 14,000 users, confidential documents, projects, supplier rankings/comments, and more and that he reported the issue to Toyota in November. A Toyota spokesperson confirmed that Zveare contacted the company about the issue. An attacker would have been able to add their account without ever being discovered and remain in perpetual access to Toyota’s data without ever being discovered, disrupting Toyota’s operations worldwide.

Toyota remediated the vulnerability in less than three weeks and was lauded for having the “fastest and most effective” response to security issues. They reminded researchers who wish to collaborate with Toyota to participate in its coordinated disclosure program.

Article: Corey Ball on API flaws missed by standard testing

The team at The Daily Swig recently interviewed Corey Ball on his thoughts on API security in 2023. The key takeaway for me from this fascinating discussion was the fact that Ball feels that a different approach is needed for API security from that used in more classic web application security. While web application security tools are still valuable and have their uses in securing APIs from classic flaws (such as SQL Injection), they do lack the full context of an API implementation to be able to detect certain classes of API vulnerability.

Ball points out that APIs are becoming the top attack vector for attackers due to their prolific adoption; however, Ball warns that there is a dearth of skills in securing APIs. This is the reason that led Ball to launch a free online course on web API security and publish his book Hacking APIs: Breaking Web Application Programming Interfaces.

Ball continues to see commonplace API security mistakes proliferating across the web, including broken object-level authorization and broken function-level authorization, which allow one authenticated user to gain unauthorized access to the data of other users. According to Ball: “With the prevalence of API authorization vulnerabilities, it seems there is both too much trust of valid users and not enough testing to make sure users and groups cannot access or alter each other’s data.” 

Ball suggests the following resources for further learning about API security:

  • API Penetration Testing at APIsec University
  • PortSwigger’s Web Security Academy
  • OWASP API Security Project

We would also suggest this newsletter as a top resource for learning and thank Corey for his contribution to education in this exciting space.

Article: Twitter implements API paywall to address bot crisis

In conclusion, this week, we have a brief update on Twitter’s progress in its fight against bot accounts abusing their APIs.

The bot problem is a significant issue for Twitter. In May 2018, the National Bureau of Economic Research published a working paper on the role of social media bots in shaping public opinion. They found that Twitter bots may have influenced the US presidential race and the UK vote to leave the European Union. Cybercriminals use Twitter bots to distribute spam and malicious links and to amplify their content and profiles.

The Twitter team announced they would no longer provide free API access, which meant they threatened to push away smaller, more cash-strapped developers and academics. Some skeptical observers suggested there may be better strategies and tools that social media sites can use to snuff out botnets, including identifying suspicious accounts, using specialized tools, naming and shaming, and tying accounts to real-world people and organizations. Twitter’s motives may have more to do with advertising revenue than anything else.

It’s unlikely this will be the last time we will feature Twitter’s efforts in thwarting large-scale abuse of its APIs.

Webinar: Mastering Secure API Development with GitHub and 42Crunch

With over 100 million users and 330 million repositories, GitHub has become the de facto home of software development. GitHub has become so much more than purely a Git repository hosting platform. With features such as repository forking, pull requests, and, most notably, GitHub Actions is now a one-stop development platform. 42Crunch is the developer-first API security platform with plugins for VS Code and GitHub to automate the process of building secure APIs right in the developer’s natural environment.

Join Colin Domoney (​​Chief Technology Evangelist at 42Crunch) and Isabelle Mauny (Field CTO at 42Crunch) on June 13, 2023 at 9am PDT / 5pm BST, as they take a deep dive with live demos into how 42Crunch combines with GitHub to facilitate secure API development:

This practical demo will showcase the following:

  • Discover OpenAPI definitions automatically within repositories.
  • Audit OpenAPI definitions in GitHub Actions and view results alongside other code scanning tools all in a single view.
  • Scan your API for security vulnerabilities directly within GitHub Actions.
  • Deploy the 42Crunch API firewall within GitHub Actions.
  • Protect your main branch by performing automated testing of APIs directly within the pull request process, allowing informed risk-based decisions for reviewers.
  • Using the 42Crunch GitHub application to enrich the pull request annotations further, allowing better decision-making for the reviewer.
  • Drive the entire process without ever leaving VS Code!

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy