Issue 76: 3rd-party API leaks 8 million shopping records

This week, new security issues have been reported in US election app, Voatz, and an API vendor has leaked 8 million shopping records in UK. In addition, ESG have shared some of their findings on API security and DevSecOps, and there is a new API security extension for Azure Pipelines.

Vulnerability: Voatz

We have already covered vulnerabilities found in a previous MIT security research on the US election app Voatz in our newsletter issue 72. Now, another security research on the app has also been published.

Trail of Bits was hired to do the new security research jointly by Voatz itself and Tusk Philanthropies. This meant that they got access to most of the source code. This enabled them to do a fuller analysis than previous security researchers who did not have that level of co-operation. As a result, they found even more issues, including some that are API-related:

  • Sensitive API credentials stored in Git repositories
  • Non-standard cryptography
  • Reliance on unvalidated data provided by the clients

Unfortunately, even Trail of Bits still did not receive a full live testing environment for their research. However, it is good to see that the vendor is starting to collaborate with security researchers.

Obviously, the recommendations that Trail of Bits make in their report โ€” like using only standard encryption mechanisms, not storing API keys and secrets in the source code, and validating all input โ€” apply to APIs in general.

Vulnerability: 8 million shopping records

On the dangers of exposing your data through APIs to 3rd parties:ย Comparitech found an unprotected database leaking 8 million shopping records from big names in European e-commerce, like Amazon UK, Ebay, Shopify, PayPal, and Stripe. The leaky database belonged to an API vendor that assisted merchants in aggregating sales and refund data from multiple marketplaces, and calculating value-added tax (VAT) for cross border sales in the EU.

No passwords or full payment information was included in the leaked data, but personal details like names, email and shipping addresses, purchases, and the last four digits of credit card numbers were. The full impact is not known, nor if the data has gotten into wrong hands. The database has been taken down.

Each time you are passing sensitive data to 3rd party vendors through APIs, are you calculating the risk of the 3rd-party aggregating and storing that data, and all of it potentially leaking? If you have to do it, what can you do to mitigate it?

We recommend narrowing down the shared information to bare minimum and redacting any personal customer data that is not absolutely necessary for the operation. For example, in this particular case, we would guess that calculating VATย  would not require customer names, their exact addresses, or phone and credit card numbers.

Analysts: ESG on API security and DevSecOps

At the RSA Conference last month, Doug Cahill from ESG Global shared some findings from his recent research:

  • 92% of surveyed enterprises are concerned about losing data through insecure APIs.
  • 44% are planning or evaluating implementing DevSecOps.
  • Securing the API economy requires a full stack, full lifecycle approach.

For more details, see ESG Cybersecurity page.

Tools: REST API Static Security Testing in Azure Pipelines

REST API security works best when it is “shifted left” and done by design. Hence, a lot of companies are doing just that and including the security tests into their CI/CD pipelines.

42Crunch has just released an extension for Azure DevOps that adds OpenAPI file discovery and static analysis (SAST) to the CI/CD pipeline.

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy