APPSEC-OPTUS-2022

On 24 May 2019 KrebsOnSecurity disclosed that First American Financial Corp. had exposed roughly 885 million mortgage and title records dating back to 2003, including Social Security numbers, bank account numbers and statements, wire transaction receipts, mortgage and tax records, and driver's license images. The records were served by First American's EaglePro document system at sequential URLs containing a nine-digit document reference number. No authentication of any kind was required, so anyone holding a single valid link could simply increment or decrement the document number in the URL to retrieve any other customer's document. This is a textbook Broken Object Level Authorization / IDOR flaw (OWASP API1) compounded by complete Broken Authentication (OWASP API2), with a user-controlled object identifier and no authorization or login check. The defect was introduced in a May 2014 software update and was flagged by First American's own penetration test in January 2019 but left unremediated; researcher Ben Shoval reported it after the company failed to respond. New York DFS later brought a cybersecurity enforcement action (settled for $1 million) and the SEC settled disclosure-controls charges for $487,616.

On January 19, 2023 T-Mobile disclosed in an SEC 8-K filing that an attacker had abused a single API to obtain data on roughly 37 million current postpaid and prepaid customer accounts, with access beginning on or around November 25, 2022 and continuing about six weeks until detection on January 5, 2023 and cutoff a day later. The exposed fields included names, billing addresses, emails, phone numbers, dates of birth, account numbers, and plan features; T-Mobile stated no passwords, payment card data, Social Security numbers, or government IDs were taken. T-Mobile only stated that a bad actor obtained data through a single API without authorization, without publishing the low-level mechanism; the security-community consensus reconstruction is Broken Object Level Authorization (BOLA/IDOR), where the API returned per-customer records without verifying the caller was authorized for that specific object, letting the attacker walk through customer identifiers at scale. The mechanism maps to BOLA via a user-controlled key, or, if the endpoint lacked authorization entirely, to missing authorization.

On January 3, 2023 Sam Curry and a team of researchers published Web Hackers vs. The Auto Industry, documenting critical API authorization flaws across about 16 automakers including Kia, Hyundai, Honda, Nissan, Acura, Infiniti, BMW, Ferrari, Porsche, Rolls Royce and Mercedes-Benz, plus telematics providers such as SiriusXM Connected Vehicle Services and Spireon. The connected-car APIs treated the VIN, which is visible through the windshield and effectively public, as an object identifier without verifying the caller actually owned the vehicle, a Broken Object Level Authorization flaw. Using only a target VIN, researchers could enroll a vehicle to an attacker account or bypass ownership checks and then remotely unlock, start, locate, honk, and track vehicles, achieving full account takeover. Several manufacturers also had Broken Function Level Authorization and misconfigured SSO/OTP endpoints exposing internal dealer portals. The work maps to OWASP API1:2023 (BOLA) and API5:2023 (BFLA).

On 28 April 2021 KrebsOnSecurity reported that researcher Bill Demirkapi had found an unnamed student-loan lender's website performing credit checks via the Experian Connect API in a way that exposed the credit scores of tens of millions of Americans. The lender's loan-eligibility form took only a consumer's first name, last name, mailing address, and date of birth and used them to query Experian's API for an automated FICO lookup. The API enforced no meaningful authentication, and entering all zeros in the date-of-birth field still returned a result, so in practice only a name and address were required. For each consumer the API returned the credit score plus up to four 'risk factors' explaining why the score was not higher, which Demirkapi automated into bulk lookups. This maps to OWASP API2 Broken Authentication (no real auth on the endpoint, defeated by the date-of-birth bypass) combined with Excessive Data Exposure. Contrary to some accounts, no client-side API key was leaked; the flaw was missing authentication, not a leaked credential. Experian fixed the specific endpoint, while Demirkapi warned other lender integrations remained unsecured.

Between 9 and 11 January 2021, as Parler was being deplatformed from Apple's App Store, Google Play and AWS following the 6 January Capitol riot, archivists led by the researcher known as donk_enby scraped roughly 99.9% of the platform before it went offline, capturing on the order of 70 TB of data including about 1.1 million videos along with public posts, photos and user data. Parler exposed API endpoints that served public posts and raw media without requiring any authentication, and post and object identifiers were sequential, so the archivists simply incremented IDs to enumerate and harvest the entire site. There was no rate limiting, allowing high-speed bulk extraction, and media files were served raw with EXIF and GPS metadata intact, while deleted posts were only flagged as deleted rather than removed and remained retrievable. The core flaw maps to OWASP API1 Broken Object Level Authorization (sequential IDs with no authorization check) combined with API4 Unrestricted Resource Consumption from the missing rate limiting, with Excessive Data Exposure in the unstripped media metadata.

On 8 August 2019 Pen Test Partners (researcher Alex Lomas) publicly disclosed that the 3fun dating app, which claimed about 1.5 million users, was leaking the precise location and private profile data of its users. The app collected real-time GPS coordinates and let users hide their location, but that privacy setting was enforced client-side only, hidden purely in the mobile app interface. The server's API endpoint still returned each user's exact latitude and longitude plus private profile data including dates of birth, sexual preferences, chat information and private photos stored in Amazon S3, regardless of the user's privacy settings. Because an attacker could spoof arbitrary coordinates and read raw coordinates directly from the response, no trilateration was even necessary, and Pen Test Partners located users at the White House, US Supreme Court and 10 Downing Street. This is a classic Excessive Data Exposure flaw, the read side of Broken Object Property Level Authorization (OWASP API3:2023), where the server returns sensitive object properties the client should never receive and relies on the client to filter them. 3fun pushed a fix roughly a week after notification.