Search This Blog

Showing posts with label API Bug. Show all posts

Indian Security Researcher Finds Starbucks API Key Exposed on GitHub



Developers at Starbucks left an API (Application Programming Interface) key exposed to hackers with no password protection that could have been used by them to gain access to internal systems and consequently manipulate the list of authorized users. Hackers could have exploited the vulnerability in several ways which allowed them to execute commands on systems, add or remove the listed users and AWS account takeover.

The key was discovered by Vinoth Kumar who is an India security researcher, he happened to locate the open key in a public GitHub repository and responsibly reported it to Starbucks on 17th October via HackerOne vulnerability coordination and bug bounty platform. While reporting the same, HackerOne told, “Vinoth Kumar discovered a publicly available Github repository containing a Starbucks JumpCloud API Key which provided access to internal system information.”

“While going through Github search I discovered a public repository which contains JumpCloud API Key of Starbucks.” the expert himself told.

The key would have allowed an attacker to access a Starbucks JumpCloud API and hence the severity of the flaw was all the way up to critical. Colorado-based JumpCloud is an Active Directory management platform that offers a directory-as-a-service (DaaS) solution that customers employ to authorize, authenticate and manage users, devices, and applications. Other services it provides include web app single-on (SSO) and Lightweight Directory Access Protocol (LDAP) service.

The issue had been taken into consideration by Starbucks very early on, however, Kumar tends to take note of the same on October 21 and told that the repository had been taken down and the API key had been revoked. As soon as the company examined Kumar's proof-of-concept of the flaw and approved of the same, the expert was rewarded with a bounty worth US$4,000 for responsibly disclosing the vulnerability.

While commenting on the matter, Starbucks said, “Thank you for your patience! We have determined that this report demonstrates “significant information disclosure and is therefore eligible for a bounty,”

“At this time, we are satisfied with the remediation of the issue and are ready to move to closure. Thank you again for the report! We hope to see more submissions from you in the future.”

Twitter API Bug Enables Third Party Access to User Data



An API bug found earlier this month that could host unapproved third-party developers in order to gain access to the user's information on Twitter was as of late looked for and removed by the said social networking site.

The bug was said to affect the permission dialog while approving and authorizing certain applications to twitter and left direct messages to be exposed to the third party without the user's knowledge. Instead of the OAuth token-based method, bug manifested with applications that require a PIN to finish the authorization procedure.

Terence Eden, who found the issue and thusly reported it to Twitter describes it as one coming directly from the official Twitter API keys and the privileged insights being uninhibitedly accessible, enabling the application developers to get to the Twitter API even without the administration's approval.

In spite of the fact that Twitter upheld a few confinements to anticipate imitating the official applications by utilizing the keys to divert to an alternate application than the one they are related with. They utilized a strategy to limit 'callback URLs', so a developer couldn't utilize the API keys with their application.

Yet, shockingly this assurance was not comprehensive, since some applications don't utilize a URL, or they may not bolster call-backs and for these, Twitter at that point resorts to a secondary, PIN based, approval system. Later on, Eden saw that the applications did not demonstrate the correct OAuth details to the user. For reasons unknown, the discourse wrongly informed the user that the application could not be able to access the direct messages, although the inverse was valid.




The researcher submitted his discoveries through HackerOne on November 6 and the issue was acknowledged around the same time subsequent to giving elucidations and exhibiting the privacy violation problem.

Nonetheless Twitter settled the issue on December 6 subsequently informing the analyst that he could distribute the subtleties of his report.