Issue 141: API vulnerabilities in VeryFitPro and Gettr, AWS Lambda authorizers, AsyncAPI 2.1 🏅

The Latest API Security News, Vulnerabilities and Best Practices
Issue: #141
API vulnerabilities in VeryFitPro and Gettr, AWS Lambda authorizers, AsyncAPI 2.1
This week, we take a look at insecure API traffic in the VeryFitPro Android app, how APIs were used to scrape user profile data from Gettr, and some potential API vulnerabilities affecting AWS API Gateway and Lambda authorizers users. In addition, there is also the latest update to the AsyncAPI standard.
Vulnerability: VeryFitPro
 

Researchers from Trovent Security have found a serious API vulnerability in VeryFitPro, an Android app with more than 10 million downloads.

It turned out that the app was communicating to the backend API in the cloud over cleartext HTTP protocol.

veryfitpro_cleartext_api_call

This means that an attacker on the same network (for example, an open WiFi network) could intercept the API traffic, including calls for login or password reset. Thus, besides intercepting sensitive data, attackers could even fully take over the victim’s account.

To make things worse, the app publisher has not responded to the researchers’ report and has left the issue unaddressed.

Lessons learned:

  • It is 2021 and there is absolutely no reason for anyone to use HTTP anymore. Your APIs should only accept encrypted HTTPS communications.
  • Implement a clear vulnerability disclosure program and promptly address reported security incidents.
Vulnerability: Gettr
 

Gettr is a recently launched Twitter clone for Trump supporters. Within days after its launch, attackers found vulnerable APIs and started leaking private user data.

At least two issues have been reported:

  1. APIs behind the sign-up page returned a specific error if the supplied email address was already in use. To make things worse, there was no rate limiting in place, so attackers could run a script and iterate through a large number of email addresses to check if their owners had an account in Gettr.
  2. Apparently, there was another unsecured API that returned various profile fields, including some not shown on the  Gettr UI, like email address, location, and year of birth.

Security researcher Alan Gal found a post on a hacker forum that included data of more than 90 000 Gettr users:

Gettr_user_profile_leak

Lessons learned here:

Security research: AWS API Gateway and Lambda authorizers
 

If your APIs are behind AWS API Gateway and use Lambda authorizers for access control, read this research by Alexandre Sieira and Leonardo Viveiro.

Lambdas are serverless functions in AWS. Lambda authorizers are functions that AWS API Gateway can call to perform authorization checks:

lambda_authorizers_architecture

Lambda authorizers return JSON objects with the structure shown below. This structure has the property policyDocument that includes the address of the resource in AWS to which the authorization applies:

lambda_authorizer_response_object

The vulnerability arises when wildcards are used in the Resource path. The wildcards allow for * meaning any number of any characters. There is a huge range of possible ways that these can be interpreted. On the one hand, they can match an empty string, on the other – as many characters as they can and would not stop at separators like colons or slashes.

So you might assume that a policy like the one shown below (screenshot from the old AWS documentation) only gives access to a test environment:

AWS_vulnerable_IAM_policy_for_test_stage

But in reality, any of the following resources would be a match as well, thus giving the API caller access they should not have:

  • arn:aws:execute-api:us-west-1:12345678:myApiId/test/GET/foo/bar/
  • arn:aws:execute-api:us-west-1:12345678:myApiId/myStage/GET/foo/bar/test/hello/world
  • arn:aws:execute-api:us-west-1:12345678:myApiId/myStage/GET/foo/bar/test/
  • arn:aws:execute-api:us-west-1:12345678:myApiId/myStage/GET/test/hello/world

(Bold font used to indicate the substrings that matched the *s around /test/ in the policy.)

Read the original research for more examples of how the use of wildcards can go wrong with Lambda authorizers in AWS.

Quoting the research for recommendations:

  1. Review the use of stars in the policyDocument object. The rule of thumb is that if a star is used at all at the last part of the ARN, it should be in the form of a “/*” at the very end of the resource string (i.e.: “arn:aws:execute-api:us-west-1:12345678:myApiId/test/GET/foo/bar/*”). You can obtain the API ID, stage name and HTTP method dynamically from the input provided to the lambda authorizer. Create one resource string in the policy for each allowed HTTP method.
  2. Consider adding Deny statements that help limit the impact or scope of star expansions on the policyDocument. Remember that AWS IAM always gives precedence to Deny over Allow if multiple statements match an operation.
  3. Whenever feasible, use defense in depth and check again that the user is authorized to call an endpoint in the lambda that implements it. Don’t rely on the lambda authorizer policy as your only method of authorization unless you are sure you can do it securely.
  4. Make sure any code imported from the previous version of the lambda authorizer blueprints is updated to the latest version.
  5. If you use URL path parameters in your APIs, avoid cases where the valid values expected to be submitted to them can be chosen by potential attackers. Prefer backend-generated IDs instead of user-chosen names for entities, for example.
Standards: AsyncAPI
 

AsyncAPI is an open standard, similar to OpenAPI but for asynchronous APIs. These are useful when the API client wants to be called back when a certain event happens.

AsyncAPI Initiative just released version 2.1.0 of the specification as well as the enabling tools. The changes in the new version include:

  • Expanded message examples
  • Mercure and IBM MQ protocol bindings
  • SASL security schemes
  • Updated official AsyncAPI tools.

For more details, see release notes by Lukasz Gornicki.

 
 
Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

 
42Crunch, Inc.   95 Third Street  2nd Floor  San Francisco  CA   94103   United States
You received this email because you are subscribed to API Security News from 42Crunch, Inc..

Update your email preferences to choose the types of emails you receive or Unsubscribe from all future emails  
 
 

Older messages

Issue 140: API vulnerabilities at LazyPay, Western Digital, and LinkedIn; IDOR mindmap 🗺️

Thursday, July 1, 2021

Hi, today we look at LinkedIn data getting scraped and WD NAS devices wiped, the recent LazyPay API flaw and an IDOR/BOLA pentesting mindmap APIsecurity.io The Latest API Security News, Vulnerabilities

Issue 139: API vulnerabilities at Apple, Amazon, and 1Sambayan, upcoming Gartner webinar

Thursday, June 24, 2021

Hi, this week we look at the details of 3 recently reported API vulnerabilities and an upcoming free webinar from Gartner APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices

Issue 138: Vulnerabilities in Microsoft Teams and Instagram

Thursday, June 17, 2021

Hi, this week in our newsletter we look at a couple of recent vulnerability reports, awesome-apisecurity repo, and upcoming DevSecCon24. APIsecurity.io The Latest API Security News, Vulnerabilities and

Issue 137: Vulnerabilities in VMware vCenter and Apache Pulsar, GraphQL and CSRF attacks

Thursday, June 10, 2021

Hi, today we look at a couple of recent API vulnerabilities, API Security in Postman, CSRF and GraphQL, my upcoming live Q&A, and a buyer's APIsecurity.io The Latest API Security News,

Issue 136: OAuth 2.0 security checklist and pentesting ✔️

Thursday, June 3, 2021

Hi, today we look at a recent API breach, a couple of pentesting case studies, and OAuth 2.0 security checklist and pentesting APIsecurity.io The Latest API Security News, Vulnerabilities and Best

Is drawing a Red independent from an Ace?

Wednesday, July 28, 2021

Statistics, Probability Theory, InterviewQs Is drawing a Red independent from an Ace? Statistics Probability Theory Forward this email to a friend or colleague and challenge them to solve it. Hi, I

iPhone sales are up 50 percent year over year

Wednesday, July 28, 2021

Now available on your smart speaker and wherever you get your podcasts Apple Podcasts | Spotify | Google Play | iHeart Radio It's Wednesday, July 28, 2021. The curse of buying new tech at the wrong

Facebook's digital universe 🌎, Discord threads 🎮, water on Jupiter's moon 🌊

Wednesday, July 28, 2021

Facebook will create a product team to work on the metaverse. The team will be part of Facebook's Reality Labs. TLDR Daily Update 2021-07-28 Tomorrow: Hungry? - Lunch on us during the Digital

Great Resignation: Top reasons employees are quitting now

Wednesday, July 28, 2021

Microsoft warns of credential-stealing NTLM relay attacks; clean up your Gmail inbox with this mass delete trick Subscription | Read Online | Twitter Facebook LinkedIn Top Story of the Day July 27,

Element raises $30M to boost Matrix — The Insecurity Industry — and Mammals dream about the world they are about to experience before they are born

Tuesday, July 27, 2021

Issue #477 — Top 20 stories of July 28, 2021 Issue #477 — July 28, 2021 You receive this email because you are subscribed to Hacker News Digest. You can open it in the browser if you prefer. 1 Element

[PythonistaCafe] What makes PythonistaCafe different

Tuesday, July 27, 2021

Hey there, Mastering Python is *not* just about getting the books and courses to study—to be successful you also need a way to stay motivated and to grow your abilities in the long run. Many

Daily Crunch - No-code startup Bubble pops with $100 million Series A round

Tuesday, July 27, 2021

TechCrunch Newsletter TechCrunch logo The Daily Crunch logo Tuesday, July 27, 2021 • By Alex Wilhelm Hello and welcome to Daily Crunch for July 27, 2021. Today is a good day not only because the US

Lights, Camera, Blockbuster

Tuesday, July 27, 2021

Whether it's Iron Man, Star Wars, or Fight Club, the technical know-how for film creation is complex and fascinating. Read on to find out the unbelievable behind-the-scenes processes. Project

Python Collections, SciPy's New Build System, What To Know About the "operator" Module, and More

Tuesday, July 27, 2021

Python's `collections`: A Buffet of Specialized Data Types #483 – JULY 27, 2021 VIEW IN BROWSER The PyCoder's Weekly Logo Python's collections : A Buffet of Specialized Data Types Python

JSK Daily for Jul 27, 2021

Tuesday, July 27, 2021

JSK Daily for Jul 27, 2021 View this email in your browser A community curated daily e-mail of JavaScript news JavaScript Currying: A Comprehensive Guide Currying is an advanced technique of working