Issue 62: Vulnerabilities in Amazon Ring Neighbors and Droom, WebSocket API security

This week we look at the recent API vulnerabilities in Amazon Ring’s Neighbors app and the Droom vehicle marketplace, articles on API security and WebSockets, an opinion piece on the most exploited API vulnerabilities, and a couple of recorded webinars.

Vulnerability: Amazon Ring

Gizmodo reports that Amazon Ring’s crime-alert app, Neighbors, exposes too much data through API calls. The coordinates included in the posted videos are so detailed that the locations of cameras and the users are exposed with extremely accurate precision.

The Gizmodo journalists could even use the API to enumerate the cameras programmatically and build a detailed maps of Ring users by city.

This is not the first time we have featured vulnerabilities is Amazon Ring. In issue 21, we had the plaintext nature of the audio and video streams, and in issue 57, the unencrypted connection during the first setup. This time, we are dealing with the OWASP API3:2019 โ€” Excessive data exposure.

Another reminder to API developers:

  • Do not provide more information than what your application is going to display.
  • Prevent mass extraction of data through your APIs.

Vulnerability: Droom

India’s largest online vehicle marketplace, Droom, had a vulnerable OAuth2 implementation when logging in with a Facebook account.

Sayaan Alam discovered that he could simply replace the email address in the OAuth2 POST call and log into someone else’s account, with full access to their personal information and even banking details.

Screenshot of Alam's API call with the email address highlighted and redacted.

OAuth2 implementation can be tricky. Just because you use OAuth2 does not make your API automatically secure. Make sure that you either implement it according to the latest security guidelines, or use popular proven off-the-shelf implementations.

Testing: WebSocket API security

If you deal with security testing of WebSocket APIs, check out these useful articles by Shuaib Oladigbolu:

Opinion: Most exploited API vulnerabilities

Jon Wallace lists API vulnerabilities that he sees hackers attacking most frequently. Most of the characteristics of these APIs have easily find a parallel from the OWASP API Security Top 10 list:

Webinar Recordings

42Crunch has published recordings of the two recent API Security webinars:

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy