Cyber Defense eMagazine November Edition for 2021

More documents

Recommendations

Info

of coupons. BrewDog didn’t believe the vulnerability existed and didn’t acknowledge the report. The information was made public and BrewDog is dealing with significant fallout. This year, I did some similar research on the well-known Lithium community forum platform, which is now owned by Khoros. Lithium is a multi-tenant SaaS architecture used by many organizations including Roku, DropBox and FitBit to host user forums. If you are logged in to FitBit, then you are using Lithium, configured as a public community, to share results, discuss workout regimens, and so on. While logged into the FitBit Community I noticed a weird request being made by my browser: GET /xmnuz23762/api/2.0/search?q=SELECT+id,+login,+avatar.profile,+rank,+view_href+FROM+us ers+WHERE+id+%3D+%22REDACTED%22 My first thought was that it was strange to find SQL queries in the request, so I wondered if I could change them. My second thought was, “what the heck is xmnuz23762?” I first tried changing the SELECT criteria and the WHERE information, yielding: GET /xmnuz23762/api/2.0/search?q=SELECT+*+FROM+users This showed me all users. I found User 1, whose profile showed that they were the Lithium Admin. Now I knew what the FitBit community platform was based on. Recall that a vulnerability is simply an exposure to a possible attack. So, is this an exposure to an attack? I believe so and here’s why. Exploiting the Flaw I can change the query to get intended results. This means I can dump various parts of the database at will. Khoros disagrees, stating that what I had found is their API, called LiQL (Lithium Query Language) which uses a syntax similar to SQL. Occasionally, the similarity causes confusion with security experts concerned about SQL injection vulnerabilities. Okay, so it’s not identical to a SQL injection, but I can still change it at will and get various pieces of data. Let’s turn our attention to the other oddity I saw: What is xmnuz23762? This alphanumeric sequence is available on every request so it must be related to FitBit. Since this data element was available in each request, I figured it was a domain ID. Querying the DNS entries for Lithium showed that xmnuz23762.lithium.com will redirect you to community.fitbit.com. Pulling a different ID from my DNS entries I found aempf32337.lithium.com, which redirects me to community.roku.com. Cyber Defense eMagazine – November 2021 Edition 116 Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.
So, what if I change my query from: To: GET /xmnuz23762/api/2.0/search?q=SELECT+*+FROM+users GET /aempf32337/api/2.0/search?q=SELECT+*+FROM+users The answer is exactly what you think. I get the list of users from Roku. By the way, Roku requires authentication, but I didn’t create an account. I just used all the authentication from FitBit to log into Roku and see the users there. This is commonly known as an authentication bypass. I have now exploited the flaw in the request structure that allows for me to use my FitBit login credentials to bypass the Roku community authentication process. This means that I can observe the Roku forum without logging in, without accepting terms and conditions and I can read any public forum I wish by sending random requests and getting valid responses. So What? The question is, is this a vulnerability that enables me to execute an attack? The majority of the organizations that use this platform have requirements for use. FitBit requires you to register, establish a strong password and be over the age of 13. If I do not have to be logged in, then this requirement cannot be enforced. In this single use case alone, I am able to exploit this flaw to bypass terms and conditions. Is bypassing the terms and conditions an “attack”? Maybe or maybe not. In a public community there is an assumption you are going to share information, but you are also afforded some level of privacy as most forums allow you to configure sharing permissions, yet my research showed that several scenarios were possible: ● A malicious actor could scrape the data off of all of Khoros’ public tenants ● A competitor could easily uncover Khoros’ customer names and contacts. ● A disgruntled user could use information from posts about product issues to execute a disparaging social media campaign. ● Given the lack of authentication and the ability to view data in the tables, we believe the platform may be susceptible to SQL injection attacks, despite their statements to the contrary. If you are using a multi-tenant SaaS platform and assuming that platform is secure, but not testing the security of the platform, you might be surprised. Though we played it very safe here to ensure we didn’t break anything, I am certain that bypassing authentication isn’t the intended use of authentication on the platform. Cyber Defense eMagazine – November 2021 Edition 117 Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.
Page 1 and 2:
The Top 3 Cyber Security Mistakes a
Page 3 and 4:
How To Effectively Secure Connected
Page 5 and 6:
@CYBERDEFENSEMAG CYBER DEFENSE eMAG
Page 7 and 8:
Cyber Defense eMagazine - November
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
2. Technology and System It is also
Page 37 and 38:
NetOps Enhances Security Growing nu
Page 39 and 40:
the businesses utilizing an indepen
Page 41 and 42:
Sensitive data exposure and the ser
Page 43 and 44:
You’ve Been Attacked by Ransomwar
Page 45 and 46:
● Stop the bleeding: Segregate th
Page 47 and 48:
Digital Transformation Security: Gu
Page 49 and 50:
When the partners and solutions hav
Page 51 and 52:
Why The Integration of Netops And S
Page 53 and 54:
organizations, where siloed operati
Page 55 and 56:
How to protect yourself from cyber
Page 57 and 58:
Five Cloud Telephony Security Vulne
Page 59 and 60:
By encrypting all data end-to-end a
Page 61 and 62:
The following signs may indicate a
Page 63 and 64:
The 5 Most Common Cyber-Attacks on
Page 65 and 66: social engineering attacks by reduc
Page 67 and 68: throughout your everyday operations
Page 69 and 70: protect critical systems, applicati
Page 71 and 72: • Protect Data There are various
Page 73 and 74: Overcoming the Limitations of VPN,
Page 75 and 76: • VPN cannot limit access control
Page 77 and 78: About the Author Burjiz Pithawala i
Page 79 and 80: A Work in Progress The Advanced Tec
Page 81 and 82: SOAR Into More Integrated Cybersecu
Page 83 and 84: analyst requires more data to reall
Page 85 and 86: Critically, this survey found that
Page 87 and 88: About the Author Mike East is Vice
Page 89 and 90: complete security strategy should i
Page 91 and 92: Financial Institutions Leveraging C
Page 93 and 94: CIAM is an area that is increasingl
Page 95 and 96: (Image source: Statista) Attacking
Page 97 and 98: than actually going to the server.
Page 99 and 100: and have complete control over all
Page 101 and 102: What Do Spear Phishing Attacks Look
Page 103 and 104: Our report also suggests that emplo
Page 105 and 106: Keeping Your Guard Up: Protecting A
Page 107 and 108: create significant security risks t
Page 109 and 110: Stop Phishing in its Tracks The Del
Page 111 and 112: Lateral Movement - The Key Element
Page 113 and 114: isolating endpoints, MDR analysts c
Page 115: When Does a Vulnerability Become a
Page 119 and 120: How To Bring Your Own Key to Hybrid
Page 121 and 122: Absence of sole control - is BYOK t
Page 123 and 124: On-premise versus virtual HSMs To b
Page 125 and 126: Protect Data with Deep Packet Inspe
Page 127 and 128: This type of Data Breach Prevention
Page 129 and 130: We buy more products...and we’re
Page 131 and 132: Access over Ownership Cybersecurity
Page 133 and 134: How To Do Disruptive Innovation Rig
Page 135 and 136: 3. Verify all patents, trademarks,
Page 137 and 138: Cyber Defense eMagazine - November
Page 149 and 150: CyberDefense.TV now has 200 hotseat
Page 151 and 152: Books by our Publisher: https://www
Page 155: Cyber Defense eMagazine - November
show all

Cyber Defense eMagazine November Edition for 2021

Create successful ePaper yourself

Delete template?

Save as template?