Chat with us, powered by LiveChat

Security Exploit Case Study #6

Note: This series aims to analyze and simplify breach and vulnerability reports that are usually cryptic and mostly written by legal. The simplified version hopes to educate and help security and engineering leadership avoid the same mistakes.

Company: First American Financial
Report Date: May 24, 2019
Vulnerable Data: 885M customer records
The complexity of hack: Medium
Vulnerability Type: Zero-Day Exploit. A common vulnerability that can exist
across multiple endpoints.

Vulnerable Data

  • SSN, drivers licenses, account statements, corporate documents, etc.

Sample vulnerable endpoint/URLs

https://../documents?id=1001
https://../documents?id=1002
https://../documents?id=1003

Exploit Rule #1: Hackers are looking for monetizable data like customer names, emails, addresses, company names, credit cards, transactions, orders, financial records, etc unless if the intention is to disrupt your business.

The flaw in the URL:

  1. The above URL suggests that it’s a document endpoint. It may contain sensitive and financial information since the First American Financial is a financial company. This endpoint is more important to hackers than let’s say “/locations”, or “/products” endpoints which are mostly public information and exploiting or accessing this data will have very little financial gains.

Once the hackers identify endpoints with critical data, the next steps are to look for the exploits.

Exploit Techniques

  1. Insecure Direct Object Reference (IDOR)
  2. Parameter Tampering

The IDOR is a common design practice across the industry to solve some common problems, for example, Google Docs, Dropbox they all use this design to allow users to share private documents by just sharing the auto-generated non-guessable document URLs. The only time this design becomes an easy pray is if the URLs are guessable or predictable and in First American Financial’s case, it seems the product had sequential or number-based document ids. That means it was easy to guess document Ids for the entire 885 million records.

If the above URL were public or non-protected, which means it doesn’t require any authentication, then this would have allowed hackers to download all the data without leaving any digital fingerprints. Also, it requires much less work on their part, as they don’t have to sign-up for the service or steal a customer or employee credentials to perpetuate the breach.

More example of bad Id design:

id=emp-1001
id=customer-1001

Never ever use sequential numbers and weak random string generators. These are easy to predict or reverse generate.

Example good Id design; Google’s private doc’s public URL (The highlighted ID is tough to guess or predict). Anybody with the URL can access the document.

https://docs.google.com/spreadsheets/d/1mCPqlQSTI3K4YzJqbW8peTQ3zBF7tlNptmOEuLybvXI/edit?usp=sharing

The next step would have been to use parameter tampering technique along with a script to download all the documents. Example shell script

#!/bin/bash
for i in {1..1000000000}
do
   wget "https://../documents?id="$i
done

Solution: Tactically secure and validate the most critical data endpoints first.

Attackers are consistently going after three critical pieces of information if monetary benefits drive them. e.g., customer information, customer financial data, credit cards, bank accounts, transfers, transactions, orders, etc.

Financial Repercussions:

  • Even though there was no reported breach but the First American Financial stock still shed $110M or 2% of the $5.7B market cap.
  • Have to go through expensive third-party forensics and audits.

What won’t work in thwarting these kinds of attacks

  • Web scanners may not detect these exploits, as they focus more on injection and on fuzzing attacks than on tailored scenarios like these.

How to protect your Apps and APIs against these attacks?

  • Design best practice: never use Incremental IDs for record identifications in your database. Instead, use random UID’s and in addition, do salting of IDs. It will slow down the attack as it will be much harder to guess and fish ID.
  • Proper Access-Controls checks in the business logic to validate caller against the requesting data.
  • Continuously scan & validate access-controls logic on all endpoints. As the product grows these vulnerabilities becomes very common.
  • A Type-2 Scanner that looks in addition to injection attacks and looks for business logic vulnerabilities including RBAC, ABAC, Hijack, Sensitive Data Exposure attacks, etc.

PS: The sad part of this entire publication is, this news went mainstream on Verge, Engadget, and KTLA even before official confirmation. What is confirmed so far is the existence and closing of the vulnerability and there is no actual data leak report yet and it may even take months before the forensics can complete.