Issue 148: Microsoft Power Apps breach, BOLA on Topcoder portal, RFC 9101 released, API hacking guide

The Latest API Security News, Vulnerabilities and Best Practices
Issue: #148
Microsoft Power Apps breach, BOLA on Topcoder portal, RFC 9101 released, API hacking guide
This week, we have Microsoft Power Apps demonstrating the dangers of lax default settings for data exposure, yet another Broken Object Level Authorization (BOLA/IDOR) vulnerability on the Topcoder portal, the newly release RFC 9101, and a guide to hacking APIs.
Breach: Microsoft Power Apps records leaked via OData API
 

The big news this week is the data breach at the Microsoft Power Apps platform, leading to the disclosure of up to 38 million records with Personally Identifiable Information (PII). The details range from names and email addresses to COVID-19 vaccination status, and even Social Security numbers. The breach was discovered by researchers at UpGuard, who detail the underlying issue, the entities impacted, and the response from Microsoft in their recent blog.

Researchers discovered that an OData API that Power Apps used for accessing data publicly exposed sensitive user data which should have been private. The access to data is controlled with the setting called table permissions, which can be set to restrict access to sensitive records. Unfortunately, Microsoft had opted to switch off table permissions by default, meaning that they were publicly accessible unless users realized to switch it on. Microsoft did warn users on the impact of leaving this setting off, but as the breach shows, this might not have been the best call:

Article1_OData

Upon their discovery, UpGuard notified Microsoft about the issue. The initial response was that this public accessibility was by design, not a vulnerability. Not the first time we see this excuse with reported API vulnerabilities, often dressed up in the guise of “improved user experience”.

UpGuard then proceeded to notify the impacted entities, many of whom took swift action to remove the leaked PII data. To add insult to injury, many core Microsoft portals were also affected, and subsequently Microsoft appears to have notified impacted government cloud customers of the issue.

Since the disclosure of the breach, Microsoft has changed their stance here:

  • They have changed the default setting so that new lists enforce table permissions to protect underlying data.
  • They have provided a dedicated tool, Portal Checker, for finding OData lists that allow anonymous access.

The lessons learned here include:

  • This is a classic example of Broken Authentication on an API — the impact of having unauthenticated APIs can lead to unintended data disclosure. You could also argue that this falls under API7:2019 — Security misconfiguration, too.
  • As a developer, always ensure you understand the full impact of your chosen default settings and permissions.
  • As a platform designer providing API service, always ensure strict access restriction (deny-by-default, least privilege…). Allowing full anonymous access to data or other resources is not a sensible default, regardless of any warnings that you glue on top.

We’ve previously discussed Microsoft Power Apps causing problems in our issue 138.

Vulnerability: BOLA discovered in Topcoder portal
 

In other vulnerability news this week,  we have the write-up and vulnerability disclosure (scoring a bounty for the researcher) on a BOLA vulnerability in Topcoder, a crowdsourcing company with a community of designers, developers, data scientists, and programmers.

BOLA is the number one issue on the OWASP API Security Top 10. Poorly implemented access control allows an attacker to assume the identities of victims and access resources belonging to them by manipulating the object identifier.

Article2_BOLA

The researcher describes the exploit as follows:

  1. Create an account on Topcoder.
  2. Observe how the property for user IDs — often the likely candidate to modify when looking for vulnerabilities — is used.
  3. Enumerate subdomains and confirm the presence of the same user ID.
  4. Locate a request (here a POST) without an Authorization header .
  5. Replace the user ID with the user ID of another account to get access to the victim’s data.

The lessons learned with this one:

  • BOLA is the leading cause of API vulnerability and is often relatively easily exploited, as in this disclosure, so keep your eyes peeled for it.
  • API designers need to ensure that all API endpoints are adequately protected with authorization controls. In this instance, a single unprotected API endpoint was all that was necessary to expose user PII.
Standards: RFC 9101 released
 

This week also saw the publication of the OAuth 2.0 JWT-Secured Authorization Request (JAR) specification as RFC 9101. This is another one in the series of RFCs bringing OpenID Connect-defined functionality to OAuth 2.0.

OAuth 2.0  and OpenID Connect are currently considered the most secure methods of authentication and authorization in API security. It comes therefore as no surprise that among other applications, this specification is also used by the OpenID Financial-grade API (FAPI).

Article3_OpenID

 

Tutorial: API hacking guide
 

Tutorials are always welcome. Luke Stephens (aka hakluke) and Farah Hawaa have teamed up to create a guide on how to hack APIs in 2021.

The guide provides an excellent (and humorous) foundation into the growing need for considering API security right from the start. The advent of Single Page Applications (SPA) driving the proliferation of backend APIs is one important drive for this.

The guide covers, for example:

  • The tools used (primarily PostMan)
  • The common configuration and use of these tools
  • A wide range of API vulnerabilities, with great explanations and sample code snippets and URLs.

Of particular use for players on the defender side are the remediation guides, offering clear and actionable advice for protecting APIs.

Highly recommended for both red and blue teams alike (or whatever color your jersey might be)!

 
ColinDomoney

 

 

Colin Domoney

APISecurity.io

 
Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

 
42Crunch, Inc.   95 Third Street  2nd Floor  San Francisco  CA   94103   United States
You received this email because you are subscribed to API Security News from 42Crunch, Inc..

Update your email preferences to choose the types of emails you receive or Unsubscribe from all future emails  
 
 

Older messages

Issue 147: Vulnerabilities in SEOPress plugin and Steam portal, results from an application security survey

Thursday, August 19, 2021

Hi, this week, we have the recent API vulnerabilities in SEOPress plugin and Steam portal, and results from an application security survey. APIsecurity.io The Latest API Security News, Vulnerabilities

Issue 146: Facebook API leaking private group membership, JWT Attacker plugin for Burp

Friday, August 13, 2021

Hi, this week we have as usual recent API vulnerabilities, tools, opinions, and a note about the upcoming transition of this newsletter. APIsecurity.io The Latest API Security News, Vulnerabilities and

Issue 145: APIs and electric car charging stations, The Nuts and Bolts of OAuth 2.0 🔩

Thursday, August 5, 2021

Hi, today we look at the recent EV charging station API vulnerabilities, an OAuth2.0 course in Udemy, Gartner API Hype Cycle, and API path tra APIsecurity.io The Latest API Security News,

Issue 144: JustDial API vulnerability re-emerges, API key checker, the state of OAuth

Thursday, July 29, 2021

Hi, this week we have great videos on OAuth roadmap and GraphQL attacks and defenses. There's also an API key validator script and a story of APIsecurity.io The Latest API Security News,

Issue 143: GraphQL API leaking credit cards, SQLi in JWT, XML attacks mind map 🗺️

Thursday, July 22, 2021

Hi, today we have a case study of an API leaking credit card numbers, a lab on SQL injections in JWT, an API Security CTF, and a mind map of APIsecurity.io The Latest API Security News, Vulnerabilities

You Might Also Like

Charted | Global Economic Confidence in 2025, by Country 🌎

Wednesday, December 25, 2024

While emerging markets in Asia have the strongest confidence in the global economy looking ahead, European countries are most pessimistic. View Online | Subscribe | Download Our App FEATURED STORY

Top Tech Deals 🎅 Sony Headphones, iPhone Cases, 4K Projector, and More!

Wednesday, December 25, 2024

The season of giving is upon us. How-To Geek Logo December 25, 2024 Top Tech Deals: Sony Headphones, iPhone Cases, 4K Projector, and More! The season of giving is upon us. Happy Holidays! If you're

Why the Race to AGI is Humanitys Defining Moment

Wednesday, December 25, 2024

Top Tech Content sent at Noon! Boost Your Article on HackerNoon for $159.99! Read this email in your browser How are you, @newsletterest1? 🪐 What's happening in tech today, December 25, 2024? The

Iran's Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware

Wednesday, December 25, 2024

THN Daily Updates Newsletter cover The Data Science Handbook, 2nd Edition ($60.00 Value) FREE for a Limited Time Practical, accessible guide to becoming a data scientist, updated to include the latest

Software Testing Weekly - Issue 251

Wednesday, December 25, 2024

GitHub Copilot is free! 🤖 View on the Web Archives ISSUE 251 December 25th 2024 COMMENT Welcome to the 251st issue! In case you missed it — GitHub Copilot is free! The free version works with Visual

Daily Coding Problem: Problem #1647 [Medium]

Tuesday, December 24, 2024

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Square. In front of you is a row of N coins, with values v 1 , v 1 , ..., v n . You are

Sentiment Analysis, Topological Sort, Web Security, and More

Tuesday, December 24, 2024

Exploring Modern Sentiment Analysis Approaches in Python #661 – DECEMBER 24, 2024 VIEW IN BROWSER The PyCoder's Weekly Logo Exploring Modern Sentiment Analysis Approaches in Python What are the

🤫 Do Not Disturb Mode Is My Secret to Sanity — 8 Gadgets I Want To See Nintendo Make

Tuesday, December 24, 2024

Also: The Best Christmas Movies to Watch on Netflix, and More! How-To Geek Logo December 24, 2024 Did You Know Their association with the Christmas season might make you think poinsettias hail from a

😱 AzureEdge.net DNS Retiring Jan. 2025, 🚀 Microsoft Phi-4 AI Outperforms, 🔒 Microsoft Secure Future Initiative

Tuesday, December 24, 2024

Blog | Advertise | View Online Your trusted source for Cloud, AI and DevOps guidance with industry expert Chris Pietschmann! Phi-4: Microsoft's New Small Language Model Outperforms Giants in AI

Mapped | The Top Health Insurance Companies by State 🏥

Tuesday, December 24, 2024

In 13 US states, a single company dominates the health insurance market, holding at least half of the total market share. View Online | Subscribe | Download Our App Presented by: Global X ETFs Power