4 lessons from recent application security case studies
Every organization, no matter how big or small, if it's dependent on the software (which is impossible not to be in the modern world), must prioritize software security. Interested in enhancing yours? Want to know how real-world application security challenges are tackled? Let's get straight to the point by examining real-life application security case studies.
Dive into our latest blog post, and uncover invaluable insights collected from the recent security incidents.
As we can see, a vast range of security issues could affect modern companies — from healthcare to social networks to cable service providers.
Beyond recounting each incident, we'll extract actionable lessons to empower your security team!
4 application security case studies (and what we can learn from them)
Spoutible
Breach date: 31 January 2024
The breach:
Security consultant and Have I Been Pwned creator Troy Hunt revealed a significant vulnerability in the API of Spoutible, a social platform that gained popularity after Elon Musk's takeover of Twitter. This vulnerability allowed hackers to access extensive user data, including names, usernames, bios, email addresses, IP addresses, and phone numbers. More alarmingly, the exploit could also reveal hashed passwords and 2FA codes, potentially enabling account hijacking.
Spoutible responded by confirming that no decrypted passwords or direct messages were leaked. However, they acknowledged that email addresses and some phone numbers were scraped. The platform has since rectified the vulnerability and advised users to change their passwords and reset two-factor authentication (2FA) settings.
The lesson:
This incident highlights the critical importance of robust API security in protecting user data. Even hashed passwords and 2FA codes can be vulnerable if the API exposes them. The vulnerability underscores the need for platforms to enforce strong password policies and secure their APIs against such exploits.
For users, this serves as a reminder of the importance of using strong, unique passwords and the value of enabling 2FA. However, it also shows that 2FA codes can be vulnerable if not properly protected by the service provider.
Going forward:
Spoutible has taken steps to secure its API and prevent similar incidents in the future. They have also engaged with their user base to address concerns and invite them back to the platform. For users, checking platforms like Have I Been Pwned to see if their information was compromised is a prudent step.
This breach, affecting nearly the entirety of Spoutible's user base, is a stark reminder for all digital platforms of the ongoing need to vigilantly protect user data and continuously update security measures. It also highlights for users the importance of staying informed about the security practices of the platforms they use and taking proactive steps to protect their own digital identities.
Trello
Breach date: 16 January 2024
The breach:
In January 2024, it was discovered that data from 15 million Trello users had been scraped and was being sold on a dark web hacker forum. The data included emails, usernames, full names, and other account information. Atlassian, Trello's parent company, confirmed that there was no unauthorized access to Trello’s systems. Instead, the data was obtained by exploiting a publicly accessible Trello REST API, using email addresses from previous breach corpuses to query public profile information.
The lesson:
This incident underscores the risks associated with public-facing APIs and the importance of robust privacy settings. In 2023 we used Escape’s in-house API scanner to crawl 5138 public APIs on the internet. An outstanding amount of APIs had minor security misconfiguration, but up to 12 percent of APIs had more serious vulnerabilities, and around half a percent had critical ones.
Considering that we ran only a passive scan, in the wild, and with no authentication provided, we consider that those results raise concerns about how many public APIs are easily exploitable by malicious actors.
Trello users, although not directly compromised through a system breach, were still impacted due to the public nature of their profile information. This highlights the necessity for users to be vigilant about their digital footprint and privacy settings on online platforms.
Moreover, the incident serves as a reminder for companies to continuously evaluate and reinforce their API security (consider the best API security tools for 2024), especially those that allow public data access. Implementing measures like requiring authentication for accessing public profile information can be a crucial step in preventing similar incidents. For users, the importance of using strong, unique passwords and enabling two-factor authentication cannot be overstated, especially when email and password combinations have been compromised in previous breaches.
Going forward:
In response to the incident, Trello has updated its API to require authentication for querying public profile information. They have also advised their users to review their privacy settings and ensure that any publicly available information is intentional. For companies and developers, this incident is a reminder of the importance of continuous monitoring and updating of security measures, especially in areas like public APIs that can be exploited for data scraping.
Hathway
Breach date: 17 December 2023
The breach:
Hathway, a prominent Indian ISP and cable service operator, suffered a significant data breach in December 2023. A hacker, known as 'dawnofdevil,' exploited a vulnerability in Hathway's Laravel framework application to access sensitive user data. The leaked database was initially claimed to include details of over 41 million customers, comprising names, email addresses, phone numbers, home addresses, customer registration forms, Aadhaar card copies, and KYC data. However, upon closer analysis by Hackread.com, the actual number of unique, affected accounts was closer to 4 million, after accounting for duplicates and dummy accounts.
In a rare move, the hacker developed a dark web search engine, allowing individuals to check if their data, including emails and phone numbers, was exposed. This tool represents an unusual level of engagement by a hacker with the consequences of their actions, providing potential victims a means to assess their exposure.
The lesson:
This breach highlights several critical aspects of application security. First, it underscores the importance of securing web applications, especially those using popular frameworks like Laravel, against known vulnerabilities (learn how to do it here). Secondly, it demonstrates the extent of damage that can result from a single breach, both in terms of the volume of data compromised and the variety of personal information exposed.
Going forward:
For companies handling large volumes of sensitive user data, this case study emphasizes the need for robust security measures, regular vulnerability assessments, and prompt patching of known flaws. It also highlights the importance of having an effective incident response plan that includes clear communication with affected users.
Delta Dental of California
Breach date: September 2023, disclosed December 17 2023
The breach:
Delta Dental of California, a major provider of dental insurance, was a victim of the Clop hacking group's mass exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer solution. The breach, which exposed the personal information of nearly 7 million individuals, was due to an SQL injection vulnerability (CVE-2023-34362). Despite the release of an emergency patch by Progress Software, the Clop group exploited the vulnerability before Delta Dental could apply the patch, leading to a significant data exfiltration.
The lesson:
This incident highlights the critical importance of timely patch management and the risks associated with zero-day vulnerabilities. It underscores the need for organizations to have rapid response mechanisms for applying security patches, especially when dealing with software that handles sensitive data. The breach also demonstrates the challenges in responding to and recovering from cyberattacks, particularly in determining the extent of data compromised and the individuals affected.
For the healthcare sector, and any organization handling large amounts of personal data, this breach serves as a reminder of the high stakes involved in protecting against cyber threats. It emphasizes the importance of advanced data security tools and the expertise of cybersecurity professionals in quickly identifying and mitigating breaches.
Going forward:
Delta Dental's response involved extensive forensics and analytics to determine the full scope of the breach and to notify the affected individuals. The company offered credit monitoring and identity theft protection services to those impacted. For other organizations, especially those in healthcare, this incident is a wake-up call to invest in robust cybersecurity measures, including advanced monitoring tools, to identify and respond to such incidents more quickly and effectively.
Enhance your application security with Escape
As we’ve shown, application security vulnerabilities can have serious consequences. With Escape's API discovery and API security platform, you can identify and eliminate your API vulnerabilities early in the development process.
In addition to identifying vulnerabilities, we help you to empower your developers to adopt security by design with native CI/CD integration and actionable remediation code snippets for every finding.
What can Escape can do for your application security? Click below to request a free security assessment today.
Want to see real-life examples of Escape's customers? Dive right in!