Skip to content

Page377

Carlo includes a great summary of issues:

“How is it possible that my data was breached so quickly?

  • Bitcoin miners continuously scan GitHub source code for amazon access keys.
  • They then use these keys to spawn large numbers of (Amazon cloud) EC2 instances to mine for bitcoins.
  • They make big coin while those who were exploited are left with a huge bills.

What could be done to prevent and mitigate this?

  • Always test new version control GUIs before using them in the wild. There could be a bug that could expose your data.
  • Encrypt sensitive information in config files.
  • Move access keys to a separate config file, and exclude this from Git deploys.
  • Amazon could implement daily max budgets by default.
  • Ideally, Amazon shouldn’t allow infinite expenditure” [22].

Security of Application Programming Interfaces (APIs)

An Application Programming Interface (API) allows an application to communicate with another application, or an operating system, database, network, etc. For example, the Google Maps API allows an application to integrate third-party content, such as restaurants overlaid on a Google Map.

A real-world example of API exploitation includes a hack of the Facebook API, exploited by security researcher Reza Moaiandin to harvest thousands of Facebook profiles:

“Reza Moaiandin, the software engineer who discovered the flaw, exploited a little-known privacy setting allowing anyone to find a Facebook user by typing their phone number into the social network.

By default, this Who can find me? setting is set to Everyone/public—meaning anyone can find another user by their mobile number. This is the default setting even if that user had chosen to withhold their mobile number from their public profile.

Using a simple algorithm, Moaiandin generated tens of thousands of mobile numbers a second and then sent these numbers to Facebook's application programming interface (API) a tool that allows developers to build apps linked to the social network. Within minutes, Facebook sent him scores of user's profile.

All the information Moaiandin received was publicly available, but the ability link to link the profiles to mobile numbers on such a large scale leaves the system open to abuse.

The OWASP Enterprise Security API Toolkits project includes these critical API controls:

  • Authentication
  • Access Control
  • Input Validation
  • Output encording/escaping
  • Cryptography
  • Error handling and logging
  • Communication security
  • HTTP security
  • Security configuration