blog.shiftleft.io Open in urlscan Pro
52.1.119.170  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Open in app

Sign In

Get started


Home
Notifications
Lists
Stories

--------------------------------------------------------------------------------

Write


Published in

ShiftLeft Blog

Chetan Conikee
Follow

Sep 26

·
3 min read
·

Listen



Save







THE OPTUS BREACH: HOW BAD CODE KEEPS HAPPENING TO GOOD COMPANIES



> First, let me be clear that I have no insider knowledge. This is my best guess
> at what occurred, based on publicly available information here and others
> indicated in references section below.

On Thursday this week, Australia’s second-largest telecom company, Optus,
announced it had suffered a major data breach that had compromised sensitive
customer information.

Jeremy Kirk of The Ransomware Files has been progressively uncovering details
associated to this incident.



As details are still emerging, let’s examine the attacker’s tactics, techniques
and procedures.

This attack bears close resemblance to Citibank, Molina Health and Signet/Jared
Jewelers documented in detail below


CASE FILES: ATTACK LIKE ITS 1999 (CITIBANK) IN 2012 (SIGNET/JARED JEWELERS,
MOLINA HEALTH)


IN THE PRIOR INSTALLMENT, I DISCUSSED AND DESCRIBED THE DEFINITION OF A BUSINESS
LOGIC FLAW.

chetan-conikee.medium.com




WHAT HAPPENED?


 1. Information suggests that the data was exfiltrated through an
    unauthenticated REST API endpoint at http://api.www.optus.com.au (which has
    since been shut down)
 2. Essentially anyone in public domain is allowed to send a request asking the
    server “fetch contact details for Optus customer with contactid=XXXXXXXXX”.
 3. Even worse than that, the parameter in question sounds like it was a
    directly referenced contactid (with predictable sequence) and that it was
    included in the URL of the request rather than securely placed within the
    body in a POST request.
 4. As a consequence, the attacker was able to enumerate and exfiltrate 11.2
    million Optus customers and their personal information which the server duly
    returned.


WHAT DATA WAS EXPOSED?

 1. 11.2 million Optus customers have been impacted by this incident
 2. As indicated here, the information which has been exposed is their
    customer’s name, date of birth, email, and the number of the ID document you
    provided such as drivers license or passport number. No copies of photo IDs
    have been affected.


WHY DID THIS HAPPEN?

 1. Lack of authorization checks for every user request. Web portals have
    several channels of communication like the browser, mobile apps, API
    services, embedded links in an email that trackback to the portal. Are all
    these paths following uniform authenticated and authorized controls?
 2. Even if authorized, are referential integrity checks performed to ensure
    that the authorized user is checking his/her data within their tenancy
    control? Let alone the hacker, it seems like there wasn’t any AAA checks to
    ensure that customers across tenancy domains in a SaaS environment could
    access or have visibility across all tenants
 3. Using direct object references (predictable sequences) : Contact Numbers are
    retrieved from databases and they obviously have a primary key id that
    uniquely identifies each of them. Rather than directly passing the contact
    number into the response object, one can create a transient and random
    contact-id and cache map to the real contact-id in the scope of an active
    request. This fundamentally breaks the predictable sequence which further on
    could have prevented repeated enumeration by attacker.
 4. Sending sensitive information in the URL of a request: When in doubt, send
    parameters within the body of a POST request. This won’t protect you from
    this type of attack but it makes the flaw slightly less obvious.
 5. Lack of API gateway controls, tenancy validation, rate-limiting and request
    throttling configuration for every API endpoint that directly/in-directly
    touches sensitive information. If this request was initiated 11.2 million
    times, there weren’t any controls in place to raise alerts indicating
    anomalous behavior.

> Ironically, this is one of those types of flaws that’s all but impossible for
> an automated web application vulnerability scanner to find but incredibly easy
> for even a savvy 10-year-old to discover.


HOW CAN SUCH FLAWS BE IDENTIFIED AND THEREAFTER AVOIDED?

Is there a human-assisted expert system available to check your specific
application belonging to a specific business domain for design flaws that can be
exploited?

Yes, such a system does exist. ShiftLeft’s CORE is a platform built over the
foundational Code Property Graph that is uniquely positioned to deliver a
specification model to query for vulnerable conditions, business logic flaws and
insider attacks that might exist in your application’s codebase.

To request a free trial and demo, please signup at
https://www.shiftleft.io/request-demo/




63





63

63






MORE FROM SHIFTLEFT BLOG

Follow

ShiftLeft is NextGen code analysis, purpose-built to automate security workflows
delivering the right developer with the right vulnerabilities at the right time.

The ShiftLeft Team

·May 19


REACHABILITY AND RISK: TOOLS FOR SECURITY LEADERS

By Malcolm Harkins, Bryan Smith, Rob Lundy — It is impossible to manage security
posture without considering two key factors in any potential vulnerability or
security flaw: reachability and risk. The two factors are related. Reachability
defines the degree to which a given security vulnerability that is detected,
such as a CVE, can actually be attacked and exploited…

Open Source Software

7 min read





--------------------------------------------------------------------------------

Share your ideas with millions of readers.

Write on Medium

--------------------------------------------------------------------------------

Vickie Li

·Apr 20


SECURITY AND PRIVACY IN A WORLD OF DIGITAL IDENTITY

Interview with Shinesa Cambric, Principal Product Manager at Microsoft — Our
guest today, Shinesa Cambric, is an IT security professional who is passionate
about designing roadmaps for identity and access management programs, and
architecting security strategies for emerging technologies. In this episode of
Sources and Sinks, Vickie Li, developer evangelist at ShiftLeft, interviews
Shinesa about her research in identity and…

Podcast

1 min read





--------------------------------------------------------------------------------

Vickie Li

·Apr 14


BREAKING THE ENTRY-LEVEL BARRIER WITH JASMINE JACKSON

Launching your career in cybersecurity with self-study — Our guest today,
Jasmine Jackson, is an experienced cybersecurity professional who got her start
through self-teaching. Looking at Jasmine’s resume right now, it’s difficult to
imagine that she was not able to find a job at all when she first started in the
field! Jasmine has a technical background, but…

Podcast

1 min read





--------------------------------------------------------------------------------

Vickie Li

·Apr 2


SPRING4SHELL: SPRING REMOTE CODE EXECUTION VULNERABILITY

Spring unauthenticated RCE via classLoader manipulation — A critical zero-day
vulnerability in the Spring framework was recently reported to Spring’s
maintainer, VMWare. The vulnerability is an unauthenticated remote code
execution vulnerability that affects Spring MVC and Spring WebFlux applications.
You can find the CVE here: https://tanzu.vmware.com/security/cve-2022-22965.
What is affected? The Spring4Shell RCE vulnerability allows attackers to execute
code on applications…

Java

3 min read





--------------------------------------------------------------------------------

The ShiftLeft Team

·Mar 24


OKTA’S BREACH HIGHLIGHTS RISK OF PUTTING CROWN JEWELS IN THE CLOUD

By Arun Balakrishnan, Sr. Director Product Management Identity credentials and
source code are critical assets that can create major risks for your
organization when exposed by breaches of third-party cloud service companies
that provide identity management and software composition analysis. …

Cybersecurity

4 min read





--------------------------------------------------------------------------------

Read more from ShiftLeft Blog


RECOMMENDED FROM MEDIUM

khaleasi01

OPEN REDIRECTION VULNERABILITY.



Yogesh Singh

YOU THINK YOU’RE NOT WORTH HACKING? THINK AGAIN!



salman reza

KALI LINUX TOOLS



Amalia Burkle

{UPDATE} PETITES CHOSES HACK FREE RESOURCES GENERATOR



Chetan Conikee

STATE OF CYBERSECURITY : 2020 PERSPECTIVE



0xdec4f

in

CORE Vault

COREDAO SECURITY AUDIT & PUBLIC REVIEW



Hetman Software

in

Forensic Disk Analysis

INSIDE FAT: FILE SEARCH



0mkar

in

7Finney

BUILD YOUR ETHEREUM DAPP USING GOLANG REACT GRPC



AboutHelpTermsPrivacy

--------------------------------------------------------------------------------


GET THE MEDIUM APP


Get started

Sign In




CHETAN CONIKEE


259 Followers


Engineer, InfoSec tinkerer, Seed Investor, Founder/CTO of ShiftLeft Inc.,
(Opinions, my own)


Follow



MORE FROM MEDIUM

Stefan P. Bargan

25 CYBERSECURITY SEARCH ENGINES



Joshua Prager

in

Posts By SpecterOps Team Members

PRIORITIZATION OF THE DETECTION ENGINEERING BACKLOG



Claudio Moran

VULNERABILITIES IN ONLINE PAYMENT SYSTEMS



Vaibhavi Paliya

BEGINNER’S GUIDE TO START WITH OSINT



Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Knowable

To make Medium work, we log user data. By using Medium, you agree to our Privacy
Policy, including cookie policy.