Issue 71: Vulnerabilities in SoundCloud and Lime e-scooters, NIST Microservices security strategies

This week, we take a look at the recent API vulnerabilities found in SoundCloud and the electric scooter service Lime. In addition, we have a set of tips for API penetration testing, and NIST whitepaper on the microservices security.

Vulnerability: SoundCloud

Paulo Silva has published a very systematic and thorough report on API vulnerabilities that the Checkmarx Security Research team found in SoundCloud. (SoundCloud has promptly acknowledged and fixed the issues.)

The team discovered multiple API vulnerabilities, such as:

  • Broken authentication

    The /sign-in/password endpoint of did not implement proper account lockout based on failed authentication attempts. It solely relied on rate limiting which can be evaded using several combinations of use_agentdevice_id, and signature.

    Combined with ability to enumerate account, this allowed attackers to locate valid user records and then brute force access using credential stuffing.

  • User enumeration

    The /sign-in/identifier and /users/password_reset endpoints returned different results when the login existed in the system compared to when no such user existed.

  • Lack of resources and rate limiting

    The /tracks endpoint did not implement proper resources limiting. It had no validation on the number of tracks IDs in the ids list, thus it was possible to manipulate the list to retrieve an arbitrary number of tracks in a single request. Researchers could use these parameters to get back up to 689 tracks in a single request.

    The endpoint did not require authentication or authorization making it an easy target for Denial of Service and resource deprivation attacks.

    Also, the /me/play-history/tracks endpoint did not enforce rate limiting, allowing a large number of POST requests.

  • Security misconfiguration

    Issuing a PUT request to /users/{user_id} with an already used permalink returned an unhandled Java exception (java.lang.IllegalStateException), which exposed information about the components and versions in use.

  • Insufficient validation for input on the API level could allow attackers to exploit the service

    The /tracks/{track_urn} endpoint did not properly validate and enforce the length of descriptiontitle, and genre properties

As an active member of the OWASP API Security Top 10 project, Silva is an excellent source of information on such issues.

Not only does the report provide full the details of the vulnerabilities, it also shows how serious they were in terms of the CVSS score and, more importantly, provides recommendations how to avoid these issues to begin with.

Vulnerability: Lime electric scooters

Amir Shladovsky and his team has done some excellent research on API vulnerabilities in the Lime scooter service in Tel Aviv.

Lime mobile app had functionality on locating available scooters. The API for that functionality had a few major issues:

  • It returned permanent IDs for each device
  • It allowed to keep calling the same API with different geo location parameters over and over again
  • It had poor rate limiting implementation

A combination of these issues allowed researchers to script API calls with a grid of geo location parameters in the city. Thus, when someone rented a scooter, they could see that the scooter ID would disappear from the API response. Later they would see the ID reappear for another location.

Thus, the researchers could track routes of all devices and see where a particular user would ride a particular scooter.

They could even ring the bells of the scooters as a bonus:

We have previously covered vulnerabilities in electric scooters in issues 19 and 53.

Tips & Tricks: API pentesting

Inon Shkedy has put together a set of 31 tips for API penetration testing.

This is a brilliant resource for anyone working with API security. The tips include:

  • Authorization
  • Authentication
  • Attacks, such Cross Site Request Forgery (CSRF) or DoS
  • Data exposure
  • Mass assignment
  • Injections
  • Tools
  • What to do if you get stuck

Guidelines: Microservice security

We  first covered the National Institute of Standards and Technology (NIST) whitepaper “Security Strategies for Microservices-based Application Systems” by Ramaswamy Chandramouli in our issue 25 when it opened for commenting.

The final version of the whitepaper can be found here. It covers guidelines, for example:

  • Architectural frameworks
  • Threats
  • Security strategies for identity and access management (IAM)
  • Discovery
  • Communications
  • Monitoring
  • Resiliency
  • Integrity
  • Countering internet attacks

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy