The annual holiday buying bonanza has officially kicked off for 2018, and, as if on cue, a pair of security incidents at two of the most-used services this time of year – the U.S. Postal Service and Amazon – showed up to remind us of the dangers of shopping season. Both hinged on improper API use – and points out an oft-overlook weakness that is all too common in network security strategies.
The data exposures come as holiday attacks are set to worsen. According to Carbon Black’s Holiday Threat Report, released Monday, seasonal cyberattacks are on pace to increase by 60 percent from last year, spiking on “Cyber Monday” and remaining at elevated levels throughout the holiday season.
According to the Carbon Black Threat Analysis Unit, telemetry from more than 16 million endpoints reveals that holiday attacks are rising year-on-year: Global organizations encountered a 57.5 percent increase in attempted cyberattacks during the 2017 holiday shopping season, the report found. During the same time period in 2016, attempted cyberattacks increased above normal levels by 20.5 percent.
It is against this backdrop that a year-old hole in the United States Postal Service’s website was publicized, which would have allowed an attacker to query the website for account details on 60 million corporate users, including email addresses, account numbers, street addresses, mail campaign data and phone numbers. In some cases, an attacker would have been able to modify account details.
The issue had been discovered and reported a year ago by an anonymous security researcher, but it wasn’t patched until Brian Krebs reported it to USPS last week. It stemmed from an authentication weakness in an API used in the service’s Informed Visibility feature, which offers near real-time tracking data for packages and bulk mail for advertising companies and other organizations that do a lot of mass mailings.
The API flaw meant that the browser-based tool also let anyone logged in to USPS.com to modify its “wildcard” search parameters without any special authentication – so, anyone could ask for “all records for a given data set without the need to search for specific terms,” according to Krebs.
That could open the door for mass harvesting of information that could be leveraged for high-volume – but very targeted — phishing or social-engineering efforts, although USPS says that there’s no evidence that the flaw was exploited. It also didn’t address why it didn’t fix the problem a year ago.
“We currently have no information that this vulnerability was leveraged to exploit customer records,” it said in an emailed statement. “The information shared with the Postal Service allowed us to quickly mitigate this vulnerability.”
It added, “Computer networks are constantly under attack from criminals who try to exploit vulnerabilities to illegally obtain information. Similar to other companies, the Postal Service’s Information Security program and the Inspection Service uses industry best practices to constantly monitor our network for suspicious activity.”
Setu Kulkarni, vice president of strategy and business development at WhiteHat Security, noted that APIs are turning out to be a double-edged sword when it comes to internet-scale B2B connectivity.
“APIs, when insecure, break down the very premise of uber-connectivity they have helped establish,” he said, via email.
“To avoid similar flaws, government agencies and companies must be proactive, not just reactive, in regards to application security,” said Kulkarni. “Every business that handles consumer data needs to make security a consistent, top-of-mind concern with an obligation to perform the strictest security tests against vulnerable avenues: APIs, network connections, mobile apps, websites and databases. Organizations that rely on digital platforms need to educate and empower developers to code using security best practices throughout the entire software lifecycle (SLC), with proper security training and certifications.”
Yet even one of the Big Kahunas of the internet economy – Amazon – is not above making mistakes on this front. The e-commerce giant notified customers last week that their email addresses were inadvertently exposed, also via an API issue. Details are scant – the issue affected an unknown number of customers – and Amazon says its servers were not breached and it didn’t give away any other personal info. Still, some researchers took the company to task over the incident.
Andy Norton, director of threat intelligence at Lastline, noted that it’s possible to glean a detail or two by reading between the lines of the notification Amazon sent customers, which he had a copy of.
“The Amazon ‘breach’ note that was shared with customers states that the affected users don’t need to take any further action if the names and emails were inadvertently disclosed to unknown parties,” he said. “Amazon should advise to take extra care and diligence in opening their mail, and should highlight the risks of being phished. The fact that they are stating ‘the affected parties’ suggests that the data was indeed leaked to a known entity that has been contained.”
He added, “Because the cybersecurity and e-commerce industries are undoubtedly on edge ahead of the holiday shopping rush, this could be viewed as one of the worst breach notes in history. It is creating confusion and uneasiness, and creating more questions than answers, when it should have done the opposite.”
APIs: A Rich Criminal Target
APIs are an attractive target for threat actors because they act as the glue linking different services – they allow data to flow freely from one area to the next, and thus provide a rich vein of information if they are compromised.
“APIs are becoming an increasingly attractive target for attacks – including malicious bot attacks – because APIs can provide access to other applications and data within a customer’s extended digital ecosystem,” Larry Link, CEO at Cequence, told Threatpost. “It’s important for organizations to ensure they have security tools in place that can properly defend these targets. From a bad actor’s perspective, geo-distributed bot attacks are relatively easy to plan and execute, which is why malicious bots are emerging as the new No. 1 attack threat facing every organization that leverages web, mobile and API apps for business processes and customer engagement.”
Yet despite APIs attracting the notice of cybercriminals and serving such a critical function, they often fly under the radar when it comes to data security, as the USPS and Amazon issues showcase. However, it’s likely that this will change as privacy regulations become more and more common.
“Understanding the data transmitted to an API and a method to validate the sanity of the returned data should be part of the review process in all development and procurement teams,” Tim Mackey, senior technical evangelist at Synopsys, told Threatpost. “Armed with this information, API consumers can then monitor for any security disclosures associated with their API usage. When you consider the U.S. Senate Commerce Committee is hearing briefs on a national data protection law similar to CCPA and GDPR, organizations should view tracking of API dependencies as a core strategy in reducing risks associated with potential data breaches.”