Unprotected APIs Expose Data of 33,000 Employees

A recent discovery by CloudSEK’s BeVigil platform has highlighted the significant risks posed by unprotected Application Programming Interfaces (APIs). BeVigil uncovered that API endpoints belonging to a major technology service provider were left unsecured, leading to the exposure of sensitive data for over 33,000 employees.

BeVigil’s WebApp scanner detected unauthenticated API endpoints associated with the service provider’s internal web application. These unprotected endpoints granted unrestricted access to a trove of confidential information, including:

• Employee Personal Information (PII): Names, email addresses, and business unit details.
• Asset Details: Hardware configurations and provisioned devices.
• Project Information: Internal workgroup assignments and project structures.

The report emphasizes the severity of this issue, stating that “any attacker could simply send an HTTP request and extract confidential data without any authentication barriers“.

The exposure of this data creates a chain reaction of security risks, including:

1. Unauthorized Data Access: Attackers could download and analyze organizational data, track employees across different business units, and identify key personnel and their responsibilities.
2. Increased Attack Surface for Cybercriminals: The exposed API data was updated in real-time, enabling attackers to continuously monitor employee activities, infrastructure changes, and software deployments, potentially leading to further security breaches.
3. Social Engineering and Phishing Attacks: With access to employee details, attackers could impersonate internal IT teams to extract additional credentials through targeted phishing emails, or deploy malware under the guise of legitimate corporate communications, gaining further access to the organization’s internal network.

The report outlines several immediate actions that organizations must take to mitigate the damage from such incidents:

1. Restrict API Access: Implement authentication and authorization for all API endpoints.
2. Encrypt Sensitive Data: Ensure that personally identifiable information is encrypted before transmission.
3. Monitor API Traffic: Deploy monitoring tools to detect unauthorized access in real-time.
4. Rotate Exposed Credentials: Change all compromised API keys and user credentials immediately.

Related Posts:

• Citrix and Mandiant: Warning the Exploits of CVE-2023-4966
• Security Alert: Hackers Can Access Google Accounts Without Passwords
• UpGuard: 50.4 GB of data was leaked due to unprotected Amazon Web Services
• Threat Actors Exploit Fake Brand Collaborations to Target YouTube Channels
• Hacker forged Windows 11 upgrade website to trick users to download the virus