Sometimes, cloud security flaws don’t come from unauthorized databases exposed online or from stolen account passwords. Instead, they come from information that companies share willingly via their cloud-based systems.
Facebook provided a perfect example last month after it was discovered sharing sensitive user location data via its application programming interface (API).
An API is a way for computers to query each other directly over a network. A simple request returns a collection of data, typically in JavaScript Object Notation (JSON) format. The problem is that sometimes, companies either don’t validate those requests, or they share too much data.
Security consulting firm 7 Elements surfaced a problem in Facebook Marketplace after examining the service's API to see if it was possible to track stolen goods using the system.
Facebook Marketplace is the social media giant’s equivalent to Craigslist. It is a giant classified ads section where you can buy, sell, or barter items with other people in your area.
Facebook Marketplace displays only the advertiser’s general area in its listings, but the story was different when 7 Elements queried the API. The JSON data that it got back revealed latitude and longitude information and the seller’s precise postal code.
“This would make it easy for anyone malicious to identify the location of that ‘£7,000 bike’ almost down to the meter,” pointed out John Moss, a cybersecurity researcher for the company. “It’s also probably not the best idea for the full postcode to be available publicly as well given it wouldn’t take much to find an address based on that and the other information available (i.e the sellers full name).”
Facebook rejected Moss’s responsible disclosure submission, arguing that this wasn’t a security vulnerability. Sellers of valuable items on Facebook might disagree. He said had to contact a friend at the company to get it taken seriously, and the company finally fixed the issue.
This isn’t the first time that an API has shared too much data. Chips 2.0, a set of mobile phone-connected bluetooth speakers from Outdoor Tech, targets skiers who want to communicate with each other on the piste. Researchers at cybersecurity company Pen Test Partners found the API for the product was leaking all the app’s users, their email addresses, phone numbers, and GPS locations.
All of which goes to show that when you’re going cloud native and prepping your systems to interact with other cloud-based computers, it’s worth paying attention to your APIs and ensuring that you expose only the right information to the right people.
The topic of Cloud Security will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Cloud Security here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.
