Hundreds of Android applications distributed through the Google Play store have been found to leak application programming interface (API) keys, putting users at risk of identity theft. (opens in new tab) and other threats.
Cybersecurity researchers at CloudSEK discovered these risks by analyzing 600 applications on the Play Store using the company’s BeVigil security search engine.
Overall, the team found that half (50%) leaked the API keys of the three top transaction and email marketing service providers, exposing users to fraud and fraud risks.
MailChimp, SendGrid, MailGun
CloudSEK discovered apps leaking APIs from MailChimp, SendGrid, and Mailgun. This allows potential threat actors to send emails, delete API keys, and even change multi-factor authentication (MFA). CloudSEK then notified the app developers of the findings.
Among them, the app has been downloaded by 54 million people and is now at risk. Most of the potential victims are in the US, with a significant share in the UK, Spain, Russia and India.
“In modern software architectures, APIs integrate new application components into existing architectures, making their security essential,” comments CloudSEK. “Software developers should avoid embedding API keys in their applications and should follow secure coding and deployment practices such as standardizing review procedures, rotating keys, hiding keys, and using vaults. “
Of the three services, MailChimp is by far the largest, and leaking MailChimp API keys allows app developers to gain access to email conversations, steal customer data, and obtain email lists. , run your own email campaigns, and work with promo codes.
Additionally, hackers may approve third-party apps connected to your MailChimp account. In total, researchers identified 319 API keys for her, more than a quarter (28%) of which were valid. Added 12 keys to read emails.
A compromised MailGun API key would allow an attacker to send and read emails, but could also obtain Simple Mail Transfer Protocol (SMTP) credentials, IP addresses, and various statistics. increase. Additionally, it is possible to steal customer mailing lists.
SendGrid, on the other hand, is a communications platform that helps businesses deliver transactional and marketing emails through a cloud-based email delivery platform. With an API leak, hackers can send emails, create API keys, and control the IP addresses used to access your account.
Via: Info Security Magazine (opens in new tab)