Payment API Vulnerabilities Exposed "Millions" of Users

Millions of consumers may have exposed their personal and payment information after researchers discovered API security vulnerabilities affecting multiple apps.

CloudSEK said that of the 13,000 apps uploaded to its BeVigil “security search engine” for mobile applications, around 250 use the Razorpay API to facilitate financial transactions. Unfortunately, it found that approximately 5% of these exposed their payment integration key ID and key secret.

This is not a flaw in Razorpay, which serves around eight million businesses, but rather how app developers are mishandling their APIs.

“When it comes to payment gateways, an API key is a combination of a key_id and a key_secret that are required to make any API request to the payment service provider. And as part of the integration process, developers accidentally embed the API key in their source code. While developers might be aware of exposing API keys in their mobile apps, they might not be aware of the true impact this has on their entire business ecosystem,” the firm explained.

“CloudSEK has observed that a wide range of companies — both large and small — that cater to millions of users have mobile apps with API keys that are hardcoded in the app packages. These keys could be easily discovered by malicious hackers or competitors who could use them to compromise user data and networks.”

Specific data exposed in this way could include user information like phone numbers and email addresses, transaction IDs and amounts, and order and refund details. In addition, because the same apps are usually integrated with other applications and wallets, even more could be at stake, CloudSEK warned.

Threat actors could use the exposed API information to make bulk purchases and then initiate refunds, sell stolen data on the dark web, and/or use it to launch social engineering attacks such as follow-on phishing attempts, the firm claimed.

All 10 of the leaky APIs have now been deactivated. Still, CloudSEK urged developers to understand the potential impact of such issues early on and set up review processes to prevent them from escalating.

That’s because invalidating a payment integration key will stop an app from working, causing significant user friction and financial loss.

“Given the complexities of regenerating API keys, payment providers should design APIs such that, even if the key has not been invalidated, there are options to minimize the permissions and access controls of a given key,” CloudSEK concluded.

“App developers should be given a mechanism to limit what can be done using a key at a granular level, like AWS does. AWS has put in place identity and access management (IAM) policies that can be used to configure the permissions of every operation on an S3 bucket. This practice should be more widely adopted to minimize what threat actors can do with exposed API keys.”

What’s Hot on Infosecurity Magazine?