Issue 45: Hacked dating apps and smartlocks, “Egregious 11” cloud security issues

This week, we take look at the recent location API vulnerabilities in dating apps and smartlocks. In addition, we have an API security video from RSA Conference in Singapore, and the survey results and API security recommendations from Cloud Security Alliance.

Vulnerability: dating apps

BBC has run a story on the common API vulnerability pattern across several gay dating applications: Recon, Grindr, and Romeo.

All of these applications show other members in the user’s proximity. The API vulnerability is a combination of two factors:

  • API can be invoked outside of the application and spoofed client coordinates can be supplied as parameters
  • API returns other members’ exact distance from these coordinates

Attackers could run API calls and supply different locations. Once they knew the exact distance to a user from three different points, they could then determine the user’s exact location using trilateration.

Needless to say, this kind of an API flaw could potentially become a source of a physical security threat for app users.

We have covered other dating apps’ API vulnerabilities in issues 18 and 44.

Vulnerability: FB50 smartlock

FB50 smartlocks are sold under different brands and have more than 15,000 estimated customers. Researchers have found the lock service APIs vulnerable to Insecure Direct Object Reference (IDOR) attack, opening the door for a full takeover.

IDOR vulnerabilities are essentially authorization issues. In such cases, credentials for one account can be used to access data for other accounts.

Here’s how the attack worked:

  1. Attacker creates an FB50 smartlock account with the vendor.
  2. Attacker scans for Bluetooth devices near a smartlock to get the MAC address.
  3. Attacker makes a REST API call to the FB50 cloud service for a device query based on the MAC address of the lock. This gives the attacker the barcode and ID of the lock.
  4. Attacker supplies the lock’s barcode in an API call and gets the user ID of the owner of the lock.
  5. Attacker supplies the lock ID and the user ID in an API call to unbind the lock from the user.
  6. Attacker makes an API call providing their user ID, a new name for the lock, and the MAC of the lock to take ownership of the lock.

RSAC Singapore: The state of API security

Videos from the recent RSA Conference in Singapore are coming out. This video has a conversation between Varun Haran and Jacques Declas on the state of API security:

  • How API security has evolved
  • API security and the role that DevSecOps plays
  • API security for microservices in the world of Kubernetes

Surveys: Egregious 11 cloud security issues

Cloud Security Alliance has released their “Egregious 11” cloud security issues report. The report is the result of a survey that they ran across 241 industry experts.

Needless to say that API security comes out as one of the top issues. Here are some recommendations that they include:

  • Practice good API hygiene, including diligent oversight of things like inventory, testing, auditing, and abnormal activity protections.
  • Consider using standard and open API frameworks.

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy