Some time ago, I came across this article on Hacker News. I recommend you read the whole thing. But in short: A social media site for woman called “Giggle” used an API that pretty much exposed every users data, if you did so much as to request it. This is called an IDOR vulnerability.
The “barrier of entry” is very low here. Installing BurpSuite might have actually been the hardest part of it all.
I always found these types of “hacks” the most interesting. Mostly because they don’t require any experience in offensive security. You don’t need to be an professional pentester to know basic API debugging. Even I could do something like this! In fact, I still sometimes hack myself into leaderboards of browser games like this one.
These kind of “easy to pick” targets are often referred to as “low hanging fruit”. There is no complicated setup or mentionable work required to just grab an apple from a low hanging branch. Same thing was true for hacking Giggle.
And these types of incidents are all but rare. Just search the web for “unsecured elasticsearch instance”. Also, it doesn’t just affect userdata neither. There have been IDOR issues on car control systems. One could literally stop, lock and unlock cars thanks to a certain API endpoint that required no authentication.
The question as to HOW these things can happen in the first place can have many answers. Is it inexperienced developers that truly believe that no one can snoop on their POST requests? Or outsourcing the API development to India for 30 ct an hour? Overly harsh deadlines and developers that just don’t care anymore? Who knows.
What I do know is that these issues are systemic in nature, rather than technical. There is a big difference in having a lock that a experienced lockpicking expert can open, and having no lock at all. Some would think that, over time, humans would eventually learn how to secure computers. And on a technical level, we kinda have. Better firewalls, better intrusion detection, better encryption, better programming languages…
But none of this helps against gross negligence.
No pentester in sight
And this is where I ask (myself) the final question. Who will report these vulnerabilites? Will a company that acts totally ignorant towards security hire a pentest? Hell no. Will they have an account on HackerOne? Unlikely. Will a bad actor report it? Of course not.
And will hobby hackers step in? Well maybe. In the two cases I linked above they obviously did. But anyone who regulary reads infosec news will know, reporting stuff like this can be annoying at best, and land you in jail at worst. There are plenty of examples where things did not go well at all for someone who reported a vulnerability in good faith. Hell, just read the article I linked in the beginning already. You will know what I mean.
And now what?
Excellent question! After establishing all of the problems it’s time to reveal my solution. At least I wish. This post serves no purpose and provides no solution. If anything, it shows that there is no technical solution to systemic problems.
And I didn’t even mention IoT.
Thanks for enduring my thoughts.