Exposed APIs of Securities Lending Firm Could Leak Sensitive Data

  1. A third-party securities lending firm’s QA systems hosted on AWS were exposed online that process the credit bureau data.
  2. After the data constructs were queried via API, we found that some of the data was not legitimate, as the data looked rogue or vague. However, we did find some valid SSN numbers but they did not match the information in the obtained data. The data dumps (JSON blobs) revealed the entire details on how the data was processed and stored. It was very clear that sensitive information such as SSN, credit card score, etc. were stored in clear text in the database.
  3. These QA/test systems highlighted the HTTP response header as “X-Application-Context: equifax-consumer:prod,aws:9001” that showed the traces of a “production instance”. It was not completely clear why these systems were deployed or why they were tagged with the name of the credit bureau’s consumer production instance.
  4. The APIs (as discussed earlier) were insecurely designed and following flaws were noticed:
  • The APIs were called over non-HTTPS channel. It means QA systems perform the testing and assessment over unencrypted channel.
  • The APIs did not have any authentication controls enabled, which means no unique tokens were used to validate the origin of the requests. No HTTP authentication was in place.
  • The APIs did not have authorization controls enabled as well. It means any adversary sitting remotely can access the systems from any geographical location on the Internet.
  • It was possible for the adversary to interact with these APIs without authentication and authorization that could result in the exfiltration of data from the QA systems.
  • How do credit bureaus share the data with third-party firms such as securities lending companies ?
  • What types of security controls are in place for the systems operated by the third-party companies handling customers data ?
  • How are the data sharing controls audited by the independent auditors for achieving compliance?
  • The QA or critical backend systems should not be exposed on the Internet. This could result in leakage of information about the the network environment including data storage, API design and others.
  • Systems of the securities lending firm should be scrutinized for unauthorized access by analyzing system logs, HTTP logs and other indicators of compromise available on these servers. There could be a possibility other adversaries could have used the exposed information to retrieve data from backend systems.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

10 Ways to Detect Fake Job Offer

Threats from the Net

Zamcoin? More Like ScamCoin

What is Amazon Detective?

The Four Types of IoT Attacks

How To Void Getting Hacked in World of Warcraft

Top 5 New Open Source Vulnerabilities in March 2018

A Password-less Future

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aditya K Sood

Aditya K Sood

More from Medium

How Do You Create Own Wireguard Vpn On AWS EC2 with Tailscale

Learn the Hacks for Running Custom Scripts at Spot Termination

Connecting Robo 3T with DocumentDB outside AWS VPC.

Deploy the ELK Stack (Part 1)