AppSentinels

Why Payload Encryption Can’t Be Your Only Line of Defense

LOGIN
GET STARTED FREE

Learnings from the OptusBreach

AppSentinels
October 13, 2022
Optus Data Breach

An Optus Store displaying apology after the breach was disclosed

Courtesy — https://twitter.com/Jeremy_Kirk  

Disclaimer: AppSentinels doesn’t have first-hand information about the cause of the Optus breach. This blog is based on information collected from various sources on the Internet. References are available at the end of the blog

Chronology of events

Before we delve into the reasons behind Optus breach, let’s see the chronology of events. Data breach updates being followed up https://twitter.com/hashtag/OptusDataBreach and https://twitter.com/Jeremy_Kirk

 

Cause of the breach

According to various reports, Optus customer data was accessed via an API interface that was not secure. (https://www.computerweekly.com/news/252525513/Optus-breach-casts-spotlight-on-cyber-resilience). Apart from unauthenticated API, there was another serious issue related to easily enumerated ID’s (identifiers). These are foundational controls that were found lacking in the API implementation. 

 

a) An un-authenticated API exposing PII data — An unauthenticated API endpoint exposed via one of the subdomains of the telco was exposing PII data of the customers. This is like gate wild open with a message ‘valuables inside’. Any user on the internet can invoke the API and retrieve data by providing basic information like a parameter. Eg: to get details about a customer with mobile number 1234567890 

 

This attack is called BUA (Broken User Authentication and is number two in OWASP API Top-10 list). 

b) The was another API had another parameter enumeration issue. For eg: parameter UserID were numbered 1, 2, 3,…. The API can be invoked by incrementing the identifier parameter and retrieve details about the User. There were NO checks in the API endpoint to ensure only authorized user is allowed access to his/her data.

 

This attack is called BOLA (Broken Object Level Authorization and is number one in OWASP API Top-10 list). 

What is needed to prevent such breaches

  • Having an inventory of the APIs: You can’t protect what you can’t see. What is needed here is a platform that should discover all the API’s along with other characteristics about the API like authenticated, internal or public, dealing with sensitive info etc. If Optus had such an inventory, they could have discovered earlier that there exist weak APIs with access to sensitive data. OWASP API Top#9 [Asset Management] 

 

  • Authentication of APIs: Leaving an API open to world for anyone to invoke can be catastrophic as Optus discovered the hard way. While every application needs API open to world, such APIs should be carefully validated by the organization. A platform that can provide insight to the customer about such a risk would have helped Optus understand their risk exposure. OWASP API Top#2 [Broken User Authentication] 

 

  • Unauthorized Usage: A platform that can learn how the APIs are invoked and understand the application baseline as well as the user-context would have detected an easy target like allowing a user to change the identifiers and access information about the customers he/she isn’t authorized to use.  

Conclusion

APIs are critical part of your software. Weak APIs can result into massive data breaches like what Optus saw, apart from huge brand and financial losses. Protecting APIs is critical for organizations of all sizes. Look for an API Security solution that provides protection against the gaps described in the paper. 

Related Topics

The UAE Government API First Guidelines are a comprehensive framework designed to standardize API development and management across...
Read more
Since 2015, the Securities and Exchange Board of India (SEBI) has introduced several cybersecurity and cyber resilience frameworks to address evolving ....
Read more
In today’s rapidly interconnected digital environment, third-party APIs have become fundamental for enhancing functionality and enriching user...
Read more

API Security: A Beginner’s Guide

Digital transformation has resulted into an API-first economy where every organization is integrating deeper with customers, partners & suppliers. APIs are the ...
Read more

Why API sprawl is important and what you can do to mitigate it

Digital transformation has resulted into an API-first economy where every organization is integrating deeper with customers, partners & suppliers. APIs...
Read more
PCI DSS

Deep dive on PCI DSS 4.0 API Security Requirements

Read more

How AppSentinels aligns with Gartner API Security Recommendations

The Gartner research paper "What You Need to Do to Protect Your APIs" outlines key requirements for bolstering API security measures. In this blog...
Read more

NSA & CISA joint advisory for Web Application Access Control Abuse

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), U.S. Cybersecurity and Infrastructure Security Agency (CISA), and U.S. Nati...
Read more
OWASP Top 10 2023

OWASP API Top 10 2023: What changed and why it’s important?

Back in 2019, OWASP released its first API Top-10 list. It quickly gained widespread acceptance and acknowledgment from the industry about the...
Read more
API Security Developers Checklist

Checklist for Developers to Build Secure APIs 

Attacks on APIs are increasing exponentially. Gartner suggests API abuses are the most significant attack vector since 2022. Hence securing APIs is more...
Read more
Unified-api-protection

Unified API Protection: What It Is & How It Helps Secure API Landscape

A Unified API enables the communication between multiple APIs, including ones with different backend data models. Simply put, it is an abstraction layer...
Read more
Shadow-zombie-api-security

Shadow and Zombie APIs: How to Improve Your API Security

APIs are everywhere, enabling businesses to maximize business value. From digital transformation and application modernization to cloud migration ...
Read more
API Security Best Practices

API Security Best Practices

Application Programming Interfaces (APIs) are the building blocks of modern-day applications. This software-to-software interface enables seamless collaboration and communication...
Read more
API Abuse

API Abuse

Just about every application uses an application programming interface (API). While APIs add a lot of value to an organization, from a security standpoint, they come with some significant problems.
Read more
API Business Logic

API Business Logic: What & Why they exist & how to protect 

APIs have transformed product features, business offerings, and strategies (both technical and business-end). It is not a stretch to say that APIs are crucial in any industry that seeks a digital
Read more