Security Researcher Exposes Unsecured API From 63Red

March 12, 2019 Posted by Programming 0 thoughts on “Security Researcher Exposes Unsecured API From 63Red”

Elliot Alderson, a French security researcher, proved once again that some developers lack the ability to secure their APIs when he was able to gain access to 63red’s users. 63red, as Heather Long, a Washington Post correspondent wrote in a tweet, is “Yelp for conservatives.” The app claims to be super safe, but Elliot Alderson uncovered major security holes that allowed him easy access to its user’s data.

This was primarily due to gaffs committed by the developer. Within the source code, the developer hard-coded his credentials into the app so that anyone snooping around could grab them.

 

*to correct the tweet, the code is written in JavaScript, which is used within the React Lite AKA React Native framework for mobile apps.

 

If there was a Fight Club for devs, one of the first rules would be to not hard-code sensitive data into the source code. It doesn’t take a security researcher to dig into your code to find things like API keys; someone with malicious intent just needs a simple open source web scraper.

Still, if that was the only security hole, you might be able to wave the hard-coded data as a mistake made in the development process. The dev forgot to take out his credentials before pushing to production, we can suppose. But Alderson found a more incriminating hole: there was no authentication mechanism for their API. So, not only can the app fetch data from the company’s server, we can too. All we need to do is find the endpoints for this private API.

Lo and behold,

 

 

Alderson then lists a few ways he could’ve compromised their data. His examples offer a chilling outlook on how data can be stolen with little effort.

 

 

Here are a couple of things two take away from this news

From a user’s perspective, apps that ask for personal information must be used with caution or avoided altogether if the company can’t ensure security. After the Facebook privacy scandal, more users have become aware that their data isn’t as private as they’ve led themselves to believe. Savvy users would want transparency to be at the forefront of the user experience.

From a developer’s perspective, there must be a checklist to follow in order to ensure that, at the bare minimum, data is being sanitized and encrypted using bcrypt rather than md5, for example. It’s no longer simply important to keep up to date with the latest technologies, a developer–especially a freelance developer–must keep pace with the latest security practices to ensure the safety of the end user. Wherever we lean in the political spectrum, we can all agree that data must be protected.

 

 

Please follow and like us:
0
Tags: , ,