Courtesy — https://twitter.com/Jeremy_Kirk
Disclaimer: AppSentinels doesn’t have first-hand information about the cause of the Optus breach. This blog is based on information collected from various sources on the Internet. References are available at the end of the blog
Before we delve into the reasons behind Optus breach, let’s see the chronology of events. Data breach updates being followed up https://twitter.com/hashtag/OptusDataBreach and https://twitter.com/Jeremy_Kirk
According to various reports, Optus customer data was accessed via an API interface that was not secure. (https://www.computerweekly.com/news/252525513/Optus-breach-casts-spotlight-on-cyber-resilience). Apart from unauthenticated API, there was another serious issue related to easily enumerated ID’s (identifiers). These are foundational controls that were found lacking in the API implementation.
a) An un-authenticated API exposing PII data — An unauthenticated API endpoint exposed via one of the subdomains of the telco was exposing PII data of the customers. This is like gate wild open with a message ‘valuables inside’. Any user on the internet can invoke the API and retrieve data by providing basic information like a parameter. Eg: to get details about a customer with mobile number 1234567890.
This attack is called BUA (Broken User Authentication and is number two in OWASP API Top-10 list).
b) The was another API had another parameter enumeration issue. For eg: parameter UserID were numbered 1, 2, 3,…. The API can be invoked by incrementing the identifier parameter and retrieve details about the User. There were NO checks in the API endpoint to ensure only authorized user is allowed access to his/her data.
This attack is called BOLA (Broken Object Level Authorization and is number one in OWASP API Top-10 list).
APIs are critical part of your software. Weak APIs can result into massive data breaches like what Optus saw, apart from huge brand and financial losses. Protecting APIs is critical for organizations of all sizes. Look for an API Security solution that provides protection against the gaps described in the paper.