APIsecurity.io - APISecurity.io Newsletter: Issue 155

The Latest API Security News, Vulnerabilities and Best Practices
Issue: #155
Vulnerability in BrewDog mobile app, APIClarity at KubeCon, API attacks in Open Banking

This week, we have a vulnerability in the BrewDog mobile app exposing users’ PII courtesy of hard-coded bearer tokens, Cisco has announced the arrival of their APIClarity at KubeCon 2021, F5 has published a report on API attacks in Open Banking, and finally, there’s a mega-guide on API security best practices.

Vulnerability: Hard-coded API bearer token in BrewDog mobile app
 

Article1a

The big news item this week is the vulnerability in the BrewDog mobile app disclosed by Pen Test Partners. This vulnerability has potentially exposed the personal details of over 200,000 ‘Equity for Punks’ shareholders over the last 18 months. It is currently unclear if the vulnerability has been exploited, but it certainly is not insignificant in its potential impact.

The researchers discovered that the developers of the mobile app had hard-coded API bearer tokens into the application source code. This meant that any user of the application could retrieve information for arbitrary users simply by guessing their user IDs. Worse still was that this information included clearly Personally Identifiable Information (PII) under the GDPR definitions.

When the user is interacting with the mobile app, each call the app makes to consume the API behind it includes a bearer token as part of the authentication process. Typically, these tokens should be short-lived session tokens and unique to each app user. The tokens are usually obtained through an authentication protocol — commonly OAuth2 — following successful authentication. This makes a bearer token a sensitive asset because it represents the user’s delegated identity. As such, it should be safeguarded in the app, and disposed of when a session is ended. Definitely these bearer tokens should never ever be stored in source code of the app, even if they were encrypted.

Remarkably, this is exactly what the researchers discovered when reverse-engineering the BrewDog app, with clear evidence of three hardcoded bearer tokens:

Article1b

Moreover, by manipulating the user ID in API calls, it was possible to retrieve information about other users, including their PII like name, email, date of birth, addresses, and telephone numbers. There was also a ‘Bar discount ID’ that is used to create QR codes for discounts on beers! Although the user IDs weren’t sequential it would be easy enough for an attacker to brute-force and download the full details for all users. Free beers, everyone!

The response from BrewDog  has been somewhat inadequate: they sought to initially avoid the issue, and then somewhat clumsily removed the vulnerable API which rendered the app somewhat dysfunctional. It took several attempts before the issue was properly remediated, with the release notes slightly ironically stating “nothing too exciting”.

The lessons to be learned here are numerous and important, namely:

  • Authentication is a complex process fraught with potential traps. Application developers are advised to use a robust, industry-proven framework, such as OAuth2 ,rather than some woefully inadequate method, like hardcoding the credentials.
  • A rudimentary machine search (like using grep) can identify hard-coded bearer credentials in the codebase and ensure they are eliminated before they are committed to a code repository. That they in this case were present as long as they did suggests that app developers were aware of them and relied on wishful thinking that they were never discovered. Attackers are a very clever bunch.
  • The ability to enumerate user IDs suggests the BrewDog API was vulnerable to API1:2019 — Broken object level authorization, although this could have been simply the result of broken authentication in the first place.
  • Savvy organizations should have an established process for breach management and vulnerability disclosure, something that was clearly lacking in this instance.

Kudos to the researcher Alan Monie on this discovery and write-up — have a beer on us!

Event: APIClarity announcement at KubeCon 2021
 

This week sees the conferences KubeCon and CloudNativeCon 2021 taking place virtually — as well as in-person again. Of interest to API security practitioners is Cisco’s Vijoy Pandey (VP in Cisco’s Cloud Platform and Solutions Group) announcing a new open-source program called APIClarity. The project aims to address issues relating to API security and observability, namely configuration drifts, zombie (deprecated), and shadow (undocumented) APIs, to name but a few.

APIClarity — available on GitHub — is described as “Wireshark for APIs” and is maintained by Cisco, 42Crunch (read more here), and APIMetrics. A quick overview of the solution is available in this video:

Articel2_video

Report: F5 report into cyber attacks on banks and financial services
 

Next, we take a look at API attacks and Open Banking in the second part of a comprehensive report from F5 on reported security incidents at financial organizations.

The most telling statistic here is the increase in the number of incidents that relate to APIs. From 2018 to 2020, only about 6% for incidents were API-related, whilst in 2020 APIs accounted for a whopping of 55% of the incident!

A similarly telling statistic is the fact that the financial sector is far more likely to suffer an API-related incident(a total of 50%) compared to the average of 4% across all industries.

The key takeaways from the report include:

  • Open Banking is likely to become increasingly reliant on APIs, and decreasingly reliant on Open Financial Exchange (OFX).
  • Two-thirds of API incidents in 2020 were caused by combinations of no authentication, no authorization, or failures in either.
  • The combination of the two points above suggests an increasing attack surface for attackers to exploit Open Banking implementations.
Guide: API security mega guide
 

Finally, Expedited Security has published an extremely comprehensive and easily consumable mega guide into API security best practices.

This guide should prove invaluable to both novices and experts alike and covers several key topics, such as:

  • Distributed Denial of Service (DDoS) attacks
  • Data breach attacks
  • OWASP Top 10 vulnerabilities
  • API security controls
  • API authentication and authorization
  • Secure API design guidelines
  • Security procedures
 
ColinD

 

 

Colin Domoney

ApiSecurity.io

 
Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

 
42Crunch, Inc.   95 Third Street  2nd Floor  San Francisco  CA   94103   United States
You received this email because you are subscribed to API Security News from 42Crunch, Inc..

Update your email preferences to choose the types of emails you receive or Unsubscribe from all future emails  
 
 

Older messages

APISecurity.io Newsletter: Issue 154

Thursday, October 7, 2021

Hi, this week, we have a viewpoint on what security officers can do to address API security. There's also a report from IBM. APIsecurity.io The Latest API Security News, Vulnerabilities and Best

APISecurity.io Newsletter: Issue 153

Thursday, September 30, 2021

Hi, this week, we have an article on how API proliferation is opening up security holes, another vulnerability in WordPress REST API, again through a third-party plugin. In addition, we look into the

APISecurity.io Newsletter: Issue 152

Thursday, September 23, 2021

Hi, this week, we have a breach involving exposed API keys for payment integration, leaked API tokens on Travis CI. APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue

APISecurity.io Newsletter: Issue 151

Thursday, September 16, 2021

Hi, this week, we have details on the security patch in WordPress 5.8.1 fixing an issue on the REST API, a report on the rise of botnet attack APIsecurity.io The Latest API Security News,

APISecurity.io Newsletter: Issue 150

Thursday, September 9, 2021

Hi, this week, we have recent vulnerabilities in the Fortress home security system that allowed an attacker to remotely disable the system APIsecurity.io The Latest API Security News, Vulnerabilities

You Might Also Like

Charted | Global Economic Confidence in 2025, by Country 🌎

Wednesday, December 25, 2024

While emerging markets in Asia have the strongest confidence in the global economy looking ahead, European countries are most pessimistic. View Online | Subscribe | Download Our App FEATURED STORY

Top Tech Deals 🎅 Sony Headphones, iPhone Cases, 4K Projector, and More!

Wednesday, December 25, 2024

The season of giving is upon us. How-To Geek Logo December 25, 2024 Top Tech Deals: Sony Headphones, iPhone Cases, 4K Projector, and More! The season of giving is upon us. Happy Holidays! If you're

Why the Race to AGI is Humanitys Defining Moment

Wednesday, December 25, 2024

Top Tech Content sent at Noon! Boost Your Article on HackerNoon for $159.99! Read this email in your browser How are you, @newsletterest1? 🪐 What's happening in tech today, December 25, 2024? The

Iran's Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware

Wednesday, December 25, 2024

THN Daily Updates Newsletter cover The Data Science Handbook, 2nd Edition ($60.00 Value) FREE for a Limited Time Practical, accessible guide to becoming a data scientist, updated to include the latest

Software Testing Weekly - Issue 251

Wednesday, December 25, 2024

GitHub Copilot is free! 🤖 View on the Web Archives ISSUE 251 December 25th 2024 COMMENT Welcome to the 251st issue! In case you missed it — GitHub Copilot is free! The free version works with Visual

Daily Coding Problem: Problem #1647 [Medium]

Tuesday, December 24, 2024

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Square. In front of you is a row of N coins, with values v 1 , v 1 , ..., v n . You are

Sentiment Analysis, Topological Sort, Web Security, and More

Tuesday, December 24, 2024

Exploring Modern Sentiment Analysis Approaches in Python #661 – DECEMBER 24, 2024 VIEW IN BROWSER The PyCoder's Weekly Logo Exploring Modern Sentiment Analysis Approaches in Python What are the

🤫 Do Not Disturb Mode Is My Secret to Sanity — 8 Gadgets I Want To See Nintendo Make

Tuesday, December 24, 2024

Also: The Best Christmas Movies to Watch on Netflix, and More! How-To Geek Logo December 24, 2024 Did You Know Their association with the Christmas season might make you think poinsettias hail from a

😱 AzureEdge.net DNS Retiring Jan. 2025, 🚀 Microsoft Phi-4 AI Outperforms, 🔒 Microsoft Secure Future Initiative

Tuesday, December 24, 2024

Blog | Advertise | View Online Your trusted source for Cloud, AI and DevOps guidance with industry expert Chris Pietschmann! Phi-4: Microsoft's New Small Language Model Outperforms Giants in AI

Mapped | The Top Health Insurance Companies by State 🏥

Tuesday, December 24, 2024

In 13 US states, a single company dominates the health insurance market, holding at least half of the total market share. View Online | Subscribe | Download Our App Presented by: Global X ETFs Power