This week, we check out API vulnerabilities in the dating app Bumble and COVID-KAYA, an app for frontline healthcare workers in the Philippines. There’s also a new Forrester report and an upcoming webinar on API security, as well as a couple of recordings of API security talks from the recent API Specification Conference (ASC).
Sanjana Sarda from Independent Security Evaluators found multiple vulnerabilities in the APIs behind the Bumble dating app. The app has about 95 million users, so the potential exposure is significant.
The found vulnerabilities included, for example:
- Bypassing the limits for premium features and on free accounts, because the limits were only enforced on the UI, not in APIs.
- Retrieving arbitrary user profiles at arbitrary locations through the user search API.
- Triangulating the exact location of other users based on the retrieved distance from the arbitrary location mentioned above.
- Retrieving sensitive information on any user, including personal information, their Facebook interests and likes, and so on.
- Retrieving a lot of information on a lot of or all users programmatically by using a script, because there was no API rate limiting.
- Allowing locked accounts still access the APIs.
Needless to say, all of these combined could lead to massive privacy and personal security implications. Bumble has fixed some of the issues at least, but not everything yet.
Lessons learned here:
Unfortunately, this is not the first (and most likely not the last) time that API vulnerabilities have been uncovered in dating apps. We have previously had API vulnerabilities from other dating apps in issues 18, 44. 45, 64, 95, and 106.
COVID-KAYA is an app created by the Philippines Department of Health and WHO. Front-line healthcare workers in the Philippines use the app to report COVID-19 cases.
Unfortunately, Citizen Lab from Canada found that the app had API flaws that exposed the private data of the personnel using the app, and potentially the patients’ too:
- API authentication was flawed and a failed login attempt actually granted API access. Presumably, this was for a password reset, but attackers could use it to figure out and take advantage of other API endpoints.
- The API allowed retrieving information about the medical personnel using the COVID-KAYA and which facilities they worked in.
- The Android app had hard-coded API credentials that turned out to be simply predefined base64-encoded username and password with superuser (administrative) rights.
The discovered vulnerabilities have since been fixed. Lessons learned from this one:
- Authentication is key and needs to be carefully implemented (see API2:2019 — Broken authentication)!
- Don’t implement authentication bypass for some functions with the hope that attackers won’t find the rest of API endpoints. They will.
- Never, ever hard-code credentials!
Unfortunately, with governments struggling with a fast response to the pandemic, this is not the first time that COVID-related applications have been rushed out with poor API security. See our previous coverage, for example, in issues 83, 98, and 107.
Analyst report: Forrester
Sandra Carielli from Forrester has published a detailed report on the state of API security called “API Insecurity: The Lurking Threat In Your Software”.
There will also be a webinar on the subject on December 1. For more details and to enroll, click here.
(Disclosure: my employer, 42Crunch has contributed to the report and is one of the vendors featured in it.)
Conference Talks: API Security at ASC 2020
ASC is a great annual event organized by the OpenAPI Initiative (OAI) — the Linux Foundation body behind the OpenAPI Specification (OAS).
ASC 2020 has just published the slides and session recordings from this year’s event, and there are two API security talks worth checking out:
- “Not your Uncle’s Auth: OAuth2.1 and Other Updates in Securing Your API” by Vittorio Bertocci
- “Did You Know You Could Use OpenAPI for Security?” by Isabelle Mauny
You can subscribe to this newsletter at APIsecurity.io.