Exposed APIs of Securities Lending Firm Could Leak Sensitive Data

  1. A third-party securities lending firm’s QA systems hosted on AWS were exposed online that process the credit bureau data.
  2. After the data constructs were queried via API, we found that some of the data was not legitimate, as the data looked rogue or vague. However, we did find some valid SSN numbers but they did not match the information in the obtained data. The data dumps (JSON blobs) revealed the entire details on how the data was processed and stored. It was very clear that sensitive information such as SSN, credit card score, etc. were stored in clear text in the database.
  3. These QA/test systems highlighted the HTTP response header as “X-Application-Context: equifax-consumer:prod,aws:9001” that showed the traces of a “production instance”. It was not completely clear why these systems were deployed or why they were tagged with the name of the credit bureau’s consumer production instance.
  4. The APIs (as discussed earlier) were insecurely designed and following flaws were noticed:
  • The APIs were called over non-HTTPS channel. It means QA systems perform the testing and assessment over unencrypted channel.
  • The APIs did not have any authentication controls enabled, which means no unique tokens were used to validate the origin of the requests. No HTTP authentication was in place.
  • The APIs did not have authorization controls enabled as well. It means any adversary sitting remotely can access the systems from any geographical location on the Internet.
  • It was possible for the adversary to interact with these APIs without authentication and authorization that could result in the exfiltration of data from the QA systems.
  • How do credit bureaus share the data with third-party firms such as securities lending companies ?
  • What types of security controls are in place for the systems operated by the third-party companies handling customers data ?
  • How are the data sharing controls audited by the independent auditors for achieving compliance?
  • The QA or critical backend systems should not be exposed on the Internet. This could result in leakage of information about the the network environment including data storage, API design and others.
  • Systems of the securities lending firm should be scrutinized for unauthorized access by analyzing system logs, HTTP logs and other indicators of compromise available on these servers. There could be a possibility other adversaries could have used the exposed information to retrieve data from backend systems.




Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

No Internets? — How To Bypass Government Shutdowns

{UPDATE} Wild Owl Flying Simulator 3D Hack Free Resources Generator

In Search of the Silver Bullet: Agentless Ransomware Kill Switch

$PANDORA Token Pre-Sale is Coming Soon!

The Pitfalls of Employee Tracking in the Age Of Remote Working

CloudCover’s “Solution Differentiators” Part Four: Risk Transfer & The New Era of Cyber Insurance

{UPDATE} Color Line 3D Hack Free Resources Generator

Evolution of Data.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aditya K Sood

Aditya K Sood

More from Medium

A fairly complete introduction to OAuth2.0 for absolute newbies

Modified Combinatory Affine Cipher

“Poisoned”, a DevOps Challenge from NahamCon CTF 2022

Out into the wild!