Issue 33: First American leaks 885 million mortgage records

Vulnerability: First American

First American Financial Corp. was leaking 885 million mortgage deals records until it was notified by KrebsOnSecurity last week. The leaked records included highly sensitive information such as social security numbers (SSN), bank accounts, tax records, and wire details.

Presumably, the company did not want to secure the documents to simplify the access to them for all parties in a mortgage deal. As result, the records could be obtained just by putting a sequential document ID parameter in the URL. These parameters were 9-digit integers starting with 000000075 (this one dating from 2003). All attackers had to do was to keep incrementing this parameter and downloading the documents!

This shows how “simplifying” can backfire on you. Instead, access to specific partners with proper authentication and authorization should be used. If this cannot be done for business reasons, other security measures could still be implemented, such as:

  • Separating the web page to view the document from the document URL, and password-protecting that page.
  • Avoiding sequenced identifiers and using randomized IDs instead.
  • Expiring the access to older documents.
  • Monitoring access to prevent bulk download attempts.
  • Notifying the business of the risks using proper risks/benefits analysis.

Vulnerability: Nokelock

Researches have found API vulnerabilities in Nokelock Bluetooth-enabled padlocks. These are the most popular inexpensive devices of that kind on Amazon, and are sold under a few different brands.

The API for the locks uses unencrypted HTTP traffic and a shared API key across all accounts. This lets an attacker get an API key and re-use it against locks belonging to other customers. An attacker could open the locks, get user information and device GPS location, or reassign lock ownership.

Always use HTTPS as your transport protocol and personalized authentication and authorization to prevent such attacks.

Analysts: KuppingerCole on API security

Alexei Balaganski from KuppingerCole has released a report on API security: “The Dark Side of the API Economy“. The report contains detailed examples of the recent exploits, common myths, and recommendations including:

  • Education is key
  • Designing an API strategy
  • Know what you are protecting
  • API Zero Trust
  • Automating API security

The report is free with a registration.

Industry trends: The rise of REST and JSON

Akamai has released the Security volume of their annual “State of the Internet” report. It has fascinating statistics on the rapid rise of API traffic and the impact it has on security:

  • API traffic now constitutes a whopping 83% of all web traffic! HTML traffic is down to just 17%.
  • This is a significant growth compared to the 47% only four years ago.
  • Most of the API traffic is JSON. XML is very much in decline.
  • Browsers (web applications) are only getting 27% of API traffic. The rest of the traffic is smartphones, applications, and devices.

A quote from the report:

For security practitioners, this is vitally important — not all tools are capable of handling the shift, and you may be missing a major source of malicious traffic in your defenses.


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy