Widespread Exposure of API Keys Imperils the Mobile App Ecosystem

guest · Sep 20, 2021

Payment API Bungling Exposes Millions of Users’ Payment Data
September 20, 2021
https://threatpost.com/payment-api-exposes-payment-data/174825/

App developers have once again been accused of having butterfingers when it comes to API keys, leaving millions of mobile app users at risk of exposing their personal and payment data.

CloudSEK, maker of artificial intelligence- (AI-) enabled digital threat protection, reported last week that the mobile ecosystem is reeking with hard-coded API keys: Keys that should never be exposed in endpoint apps.
Click to expand...

Misconfigured APIs make any app risky, but when you’re talking about financial apps, it’s about handing ne’er-do-wells the power to turn victims’ pockets inside-out.

“While the rampant exposure of API keys is hazardous for any app, it is especially critical when it comes to apps that handle payment information such as bank details, credit card information and UPI transactions, in addition to user [personally identifiable information, or PII],” according to CloudSEK’s writeup.
Click to expand...

CloudSEK said, which means that app developers need to handle them with kid gloves in order to avoid leaking customer data: “Any systematic mishandling of API keys among app developers can cause threat to the app’s business,” researchers maintained.
They added, “Hardcoded API keys are akin to locking your house but leaving the key in an envelope titled ‘do not open.'”

Researchers focused on 13,000 apps currently uploaded to CloudSEK’s mobile app security search engine BeVigil, about 250 of which – roughly 5 percent – were using the Razorpay API to power financial transactions.
The report stressed that the onus is also on the companies where the keys are getting bungled:

“It is up to individual companies to address the security concerns associated with payment gateways, AWS services, open Firebases, etc.”
Click to expand...

CloudSEK: Exposed Payment Integration API Keys Imperil Millions of Users’ Transaction Details and PII

During our investigation, we found that out of the 13,000 apps currently uploaded to BeVigil, ~250 apps used the Razorpay API to enable financial transactions. And ~5% of these apps, i.e. 10 apps were found to be exposing their payment integration key ID and key secret. However, given that a purported 8 million businesses transact on Razorpay, the actual number of apps exposing API keys could be higher.

This discovery comes on the heels of a similar finding that 100 million users’ data is impacted because 0.5% of mobile apps expose their internal AWS keys. This highlights a pattern of systemic mishandling of API keys among app developers.
Click to expand...

guest · Aug 8, 2022

Over 3,200 apps leak Twitter API keys, some allowing account hijacks
August 1, 2022

Cybersecurity researchers have uncovered a set of 3,207 mobile apps that are exposing Twitter API keys to the public, potentially enabling a threat actor to take over users' Twitter accounts that are associated with the app.

The discovery belongs to cybersecurity firm CloudSEK, which scrutinized large app sets for potential data leaks and found 3,207 leaking a valid Consumer Key and Consumer Secret for the Twitter API.
Click to expand...

When integrating mobile apps with Twitter, developers will be given special authentication keys, or tokens, that allow their mobile apps to interact with the Twitter API. When a user associates their Twitter account with this mobile app, the keys also will enable the app to act on behalf of the user, such as logging them in via Twitter, creating tweets, sending DMs, etc.
Building a Twitter army
CloudSEK explains that the leak of API keys is commonly the result of mistakes by app developers who embed their authentication keys in the Twitter API but forget to remove them when the mobile is released.

One of the most prominent scenarios of abuse of this access, according to CloudSEK, would be for a threat actor to use these exposed tokens to create a Twitter army of verified (trustworthy) accounts with large numbers of followers to promote fake news, malware campaigns, cryptocurrency scams, etc.
Click to expand...

Bad practices
CloudSEK explains that the leak of API keys is commonly the result of mistakes by app developers who embed their authentication keys in the Twitter API, but forget to remove them when the mobile is released.

CloudSEK recommends developers use API key rotation to protect authentication keys, which would invalidate the exposed keys after a few months.
Click to expand...

CloudSEK: How Leaked Twitter API Keys Can be Used to Build a Bot Army

CloudSEK’s Attack Surface Monitoring Platform, uncovered 3207 apps, leaking Twitter API keys, that can be utilized to gain access to or to take over Twitter accounts.
Click to expand...

(PDF): https://cloudsek.com/download/20147/

EASTER · Aug 1, 2022

Bad practices
CloudSEK explains that the leak of API keys is commonly the result of mistakes by app developers who embed their authentication keys in the Twitter API, but forget to remove them when the mobile is released.

CloudSEK recommends developers use API key rotation to protect authentication keys, which would invalidate the exposed keys after a few months.
Click to expand...

That says all we need to know. Pure incompetence-script kiddies

guest · Nov 21, 2022

Thousands of Algolia API Keys Could Expose Users' Data
By Alessandro Mascellino @a_mascellino - November 21, 2022

Over 1500 apps have been found leaking the Algolia API key & Application ID, potentially exposing user data.
Click to expand...

Security researchers at CloudSEK shared the data with Infosecurity before publication, adding that 32 of the above applications were found to have critical Admin secrets hardcoded and that the team had identified 57 unique admin keys so far.

Algolia’s application programming interface (API) enables developers to implement search, discovery and recommendations within websites, mobile and voice applications.
Click to expand...

The solution is used by roughly 11,000 companies worldwide, including Stripe, Slack, Medium and Zendesk, to manage a reported 1.5 trillion search queries yearly.

“The admin API key can be used to access different pre-defined Algolia API Keys, including Search-only API key, Monitoring API key, Usage API key, and Analytics API keys,” warned CloudSEK.
Click to expand...

Of the 32 applications leaking 57 valid unique Admin API keys, the majority were from shopping, education, lifestyle, business and medical companies.

“While this is not a flaw in Algolia or other such services that provide integrations, it is evidence of how API keys are mishandled by app developers. So, it is up to individual companies to address the security concerns associated with payment gateways, AWS services, open firebases, etc.,” CloudSEK explained.

“To prevent this, we advise developers to remove all exposed keys, generate new ones, and store them securely,” Syed Shahrukh Ahmad, co-founder at CloudSEK, told Infosecurity. The executive also confirmed the company notified Algolia and the affected apps about the hardcoded API keys.
Click to expand...

CloudSEK: Protected: Hardcoded Algolia API Keys Could be Exploited by Threat Actors to Steal Millions of Users’ Data

November 21, 2022
Algolia's API is used by companies to incorporate search, discovery, and recommendations into their voice, mobile, and website applications. It is currently used by over 11,000 companies, including Lacoste, Stripe, Slack, Medium, and Zendesk to manage ~1.5 trillion search queries a year.
Click to expand...

Apps with over 3 million installs leak 'Admin' search API keys
By Bill Toulas @billtoulas - November 21, 2022

Researchers discovered 1,550 mobile apps leaking Algolia API keys, risking the exposure of sensitive internal services and stored user information.
Click to expand...

Log in or Sign up

Widespread Exposure of API Keys Imperils the Mobile App Ecosystem

guest Guest

guest Guest

EASTER Registered Member

guest Guest

Log in or Sign up

Widespread Exposure of API Keys Imperils the Mobile App Ecosystem

guest Guest

guest Guest

EASTER Registered Member

guest Guest

Useful Searches