Issue 247: Dropbox and Dell breaches, vulnerability in Next.js, API growth causing concerns

This week, we have news of two high-profile breaches. First up is the Dropbox breach, potentially affecting millions of users, and then the Dell breach, affecting 49 million records. We also have details of a vulnerability in the Next.js component. We also have a free on-demand recording from Microsoft Build on Navigating the Depths of API Security testing. We share an article on how API growth is causing cybersecurity concerns and the menace of unknown APIs. Finally, we have a refresh of the excellent Awesome API Security guide. 

Breach: Dropbox users in major data breach

The first breach this week was a potentially large-scale one suffered by Dropbox. Dropbox disclosed a data breach affecting its Dropbox Sign (formerly HelloSign) users. The company filed a breach disclosure with the US Securities and Exchange Commission (SEC) and posted a blog alerting customers about the incident on April 24th, 2024.

Unauthorized access was gained to the Dropbox Sign production environment, compromising customer information such as emails, usernames, phone numbers, hashed passwords, account settings, and authentication information (API keys, OAuth tokens, and multi-factor authentication). This breach is important from an API security viewpoint since many corporate users are potentially using Dropbox as a storage vault, which may contain critical authentication credentials. 

The breach was limited to the Dropbox Sign infrastructure, and other Dropbox products were not impacted. There is no evidence that customer account information, including contract agreements, templates, or payment information, was accessed.

The threat actor used a compromised service account to escalate privileges within the Sign’s production environment and access the customer database.

Dropbox is contacting impacted users with instructions on how to protect their data. The company has reset user passwords, logged users out of connected devices, and rotated API keys and OAuth tokens. Dropbox is working with outside forensic security investigators, and law enforcement has been notified. 

Breach: Dell API abused to steal 49 million records

The next breach is the scraping attack successfully launched against Dell. A threat actor known as Menelik abused a partner portal API to scrape the information of approximately 49 million Dell customer records. The stolen data included customer names, order numbers, service tags, installed locations, and more. It appears no financial information was included in the breach.

According to the threat actor, they could easily register multiple fake partner accounts to gain access to the portal. They then created a program to generate service tags and submit API requests, scraping customer data at a rate of 5,000 requests per minute for three weeks in March 2024 before Dell detected and stopped the activity. 

The threat actor claims they emailed Dell about the vulnerability in April before putting the data up for sale on a hacking forum. However, Dell states they were aware of and investigating the incident before receiving the actor’s email.

This incident highlights the risk of companies having easily accessible APIs without proper rate limiting and verification processes, which threat actors are increasingly abusing to conduct large-scale data scraping and breaches. Implementing stricter controls around API access is critical for preventing such incidents.

Vulnerability: Critical Next.js vulnerability allows server compromise

Next, we have news of a pair of vulnerabilities in Next.js, a popular web development framework. These vulnerabilities have been assigned CVE-2024-34350 and CVE-2024-34351, both with a severity rating of 7.5 (High).

CVE-2024-34350 is a vulnerability that can lead to response queue poisoning when exploited by threat actors. This vulnerability is caused by an inconsistent interpretation of crafted HTTP requests, which are meant to be treated as a single request but are instead treated as two separate requests. To exploit this vulnerability, the affected routes must use the rewrites feature in Next.js. This vulnerability has been patched in Next.js versions 13.5.1 and newer, including 14.x.

CVE-2024-34351 is a Server-Side Request Forgery (SSRF) vulnerability that exists in a vulnerable API endpoint _next/image, which is used to locate an image in the backend. This endpoint is a built-in component and is enabled by default in Next.js. The vulnerability arises when a server action is called, and the response is a redirect, with specific parameters used in the redirect. If the redirect starts with a /, the server will take the result of the redirect server_side and return it to the client. The server_side was found to be taking the host header from the client, which can lead to SSRF if the host header is pointed to an internal host. This vulnerability has been patched in Next.js version 14.1.1.

Assetnote has published a proof of concept for CVE-2024-34351, providing detailed information about the exploitation, source code, and other relevant information. It is recommended that Next.js users upgrade to the latest versions to prevent these vulnerabilities from being exploited.

Demo: Microsoft Build – Navigating the Depths of API Security Testing

Our newsletter publisher, 42Crunch, the API Security platform vendor, recently appeared on stage at Microsoft Build showcasing the integration of their API Security testing services with the Microsoft Defender for APIs. Microsoft Build is the annual conference event for the community of developers and software engineers to discover the latest innovations in code and applications. Following their recent partnership with 42Crunch, Microsoft Product Managers Haris Sohail and Preetham Naik teamed up with 42Crunch’s own Heshaam Attar to explore how best to navigate the depths of API security testing. The session offered a packed audience insights into various API breaches and also a demo by Heshaam where he showcased the end-to-end use case for both 42Crunch Audit & API Scan. Full recording available here – enjoy!

Article: API growth causing cybersecurity concerns

Next, we have an article on a recent survey commissioned by Fastly, Inc., which found that despite APIs’ critical role in the digital economy, most commercial decision-makers ignore the growing security risk they pose for businesses. 95% of respondents said they had experienced API security problems in the last twelve months, with 84% admitting to not having advanced API security in place. The lack of action is attributed to insufficient budget and a lack of expertise.

The survey also revealed sector-based and regional variations in attitudes towards API security. Heavily regulated sectors dealing with sensitive data, such as financial services, were found to be some of the worst culprits regarding API inaction. The UK was marginally ahead of the pack regarding the importance placed on API security, but there was still a tendency not to translate thoughts into actions. The survey suggests that single-provider security solutions and AI could provide answers to the complexity of the API landscape.

Article: The menace of unknown APIs

The next article summarizes key insights from the recent Imperva State of API Security, which discusses the security risks posed by unknown APIs in modern software development. 

Shadow APIs, which are undocumented or undiscovered APIs operating outside official channels, can pose security risks if exploited by threat actors. According to the report, there are 29 shadow APIs per account. Deprecated API endpoints, specific routes, or URLs within an API marked for removal but still accessible often contain security vulnerabilities. An average of 16 deprecated endpoints per account were found. 

Unauthenticated endpoints, which are API routes that do not require authentication or authorization, can potentially expose sensitive data. Imperva’s API discovery process revealed an average of 21 unauthenticated API endpoints per account. The article stresses the importance of a proactive, comprehensive API security strategy that includes continuous monitoring, risk assessment, and protection of sensitive data to safeguard against the risks posed by these unknown APIs.

We frequently discuss the criticality of unknown or shadow APIs; this article is a timely reminder of their importance to API security.

Guide: Updates to Awesome API security guide

For recent subscribers, it would be good to share a perennial favorite with readers. André Rainho curates a good list of API security resources on GitHub. This list references API security tools, cheat sheets, checklists, conferences, books, deliberately vulnerable APIs, and other design resources. 

I’m happy to see my debut book on Defending APIs included in the list of reading resources. Thanks to André Rainho for maintaining this resource for our community.

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy