Breaking NewsIndustry ObservationsTechnical Insight

AppSec News Round Up—April 2021

We live in a world where only three things are certain: death, taxes and breaches.

Nearly every day, WhiteHat’s team of security researchers and executives are tapped to share their perspective and expertise with those reporting on the most high-profile cybersecurity issues that are continually shaping the industry’s landscape.

In this new monthly series, we’ll take a look back at the previous month through some of the most impactful news stories featuring commentary from WhiteHat.

Now, let’s dive into the news that made April 2021 such an eventful month:

APRIL 3: Business Insider reported that data and personal information of 533 million Facebook users from 106 countries, including more than 32 million records on users in the U.S., were posted for free in a hacking forum.

Security Magazine reached out to Setu Kulkarni, VP of Corporate Strategy and Business Development at WhiteHat Security, after the vulnerability exposed millions of user phone numbers and enough user information to determine an identity, for his perspective:

“Now more than ever it is important to seriously reconsider using phone numbers as logins or sharing phone numbers with apps. Switching phone numbers is inordinately more taxing than switching email IDs.” — Setu Kulkarni

That very same day, it was reported that Intel was among those named in the state of Florida’s lawsuit against tech companies for allegedly using session replay software to track user’s activity—mouse movements, clicks, page visits, scrolling, tapping and other interactions.

Ray Kelly, Principal Security Engineer at WhiteHat Security, explained to Fox Business that nearly every website records user interaction analytics, and unless the data captured is able to be directly tied back to the plaintiff or personal identifiable information (PII) has been collected without consent, no GDPR laws have been broken.

“Nearly every website records site and user interaction analytics such as page clicks, time spent on each page, and form data submitted by the user,” Ray Kelly, principal security engineer at WhiteHat Security, a San Jose, California-based provider of application security, told Fox News

General Data Protection Regulation (GDPR) states that collecting analytics is fine as long as it’s anonymous or the user explicitly gave consent to use their data, Kelly said.

“In the Florida class-action lawsuit, the defendants would need to prove that the data captured is able to be directly tied back to them or … if they can prove personal identifiable information (PII) was collected without consent,” Kelly said.

APRIL 6: Security researchers at Onapsis, in coordination with SAP, released an alert warning that adversaries were actively executing attacks on known vulnerabilities within SAP systems that could ultimately cede full control of unsecured SAP applications to the hackers.

Speaking with Threatpost, Kulkarni pointed to recent WhiteHat research that suggests independent software vendors (ISVs) and technology companies have an inordinately high window of exposure, leading to a lack in security rigor as they may ultimately pass on the security responsibilities to the companies using their technology:

“Our reporting has found that independent software vendors (ISVs) and technology companies have and inordinately high window of exposure. We are seeing that ISVs and technology companies are lacking in their security rigor as they ultimately may pass on the security responsibilities to the companies that use the ISV to build products for their customers.”

APRIL 12: Less than two weeks after Facebook came under fire, Clubhouse suffered an equally detrimental data breach after hackers exposed the details of 1.3 million users through Clubhouse’s application programming interface (API). After being posted on a hacking forum, the user information was advertised offering user I.D., photo, username, Twitter name, Instagram name, number of followers, number of people followed by the user and account creation data.

Kulkarni was again one of the first security executives to comment on the breach, and his insight was featured across top publications covering the news including SiliconANGLE, Security Magazine and Security Boulevard.

“When all development has now shifted to API first development, then why hasn’t security also shifted to API first security? Testing APIs in production is as if not more important than ever for not just vulnerabilities but also for business logic flaws that can result in unfettered access to user data by malintending actors.”

APRIL 29: Perhaps the biggest story of an already eventful month surfaced when Krebs on Security reported that independent security researcher Bill Demirkapi’s claims that credit scores of almost every American were exposed through Experian’s Experian Connect API tool, which allowed lenders to automate FICO-score queries. The tool was intended to be used by the Experian credit bureau, however, Demirkapi claimed it was left open on a lender site without basic security protections.

Kulkarni chimed-in immediately following the news and was featured in Threatpost’s coverage of the high-profile breach:

“APIs are the lingua-franca for business integrations and a flaw in APIs is lethal,” Setu Kulkarni, vice president with White Hat Security told Threatpost.
“If you are an organization looking to partner with other companies, API, web and mobile applications must be tested for security to avoid consequential loss due to security vulnerabilities on the part of a strategic partner.”

While Experian fixed the vulnerability the following day, Setu was asked to follow-up on the news and provide deeper insight around the nature of the attack with Security Magazine:

“This is a wake-up call for Experian, yet again demonstrating that while the use-cases have to be designed for the end user, the abuse cases have to be designed for the super-users (benign or adversarial).
If you look at the flaw, it was a basic authentication flaw – something that should have been contemplated during the design phase of the software. What is worse here is that there are API Management solutions that allow organizations to compensate for missing authentication in the APIs they want to make public. When two companies decide to integrate their applications, they should explicitly account for the risks both companies inherit — which are posed by insecurities in each other’s applications. If you are an organization looking to partner with other companies, API, web and mobile applications must be tested for security to avoid consequential loss due to security vulnerabilities on the part of a strategic partner. Similar to how we view the spreading virus, it is possible to unintentionally infect your friend or your organizational partner if you do not take the necessary precautionary steps of testing and protecting your applications. Prioritize the requirement for application security assessment with your partners when you are executing on your growth strategy with them.”