This week is all about API vulnerabilities. We found them everywhere: from client to cloud communications of Fortinet products to avatar hacks in Truecaller app, an authentication flaw in Nykaa Fashion, and yet another kids smartwatch system with almost total lack of security.
Vulnerability: Fortinet
Researchers from SEC Consult have found bad implementation in various Fortinet products. Embarrassingly, these were security products, including FortiGuard Web Filter, FortiGuard AntiSpam, and FortiGuard AntiVirus. Turns out that the implementation of communications between their clients and their cloud backend left a lot to be desired.
All of the products rely on UDP and HTTP POST calls to send data from local clients to the cloud service. This data includes, for example:
For some reason, instead of using standard encryption protocols, the products were simply applying XOR operations on the data. Even worse, they were XORing the data with a hard-coded key. This meant that anyone who had found this key could easily decrypt, read, and modify traffic.
Reinventing the wheel in security is a bad idea. Using established encryption protocols and standards and their off-the-shelf implementation makes your product a lot more secure.
Vulnerability: Truecaller
Ehraz Ahmed had a good week with two API vulnerabilities that he had found getting disclosed.
The first one is a vulnerability in Truecaller. Truecaller is a mobile app that uses crowdsourcing to r ..
Support the originator by clicking the read the rest link below.