What Happens When Access Controls Fail
Feb 15th, 2023
In 2017, a cybersecurity researcher discovered a broken access control vulnerability. A serious one – for as long as it was left unchecked, it exposed 60 million unwitting victims' personal records.
Luckily, the vulnerability was simple to fix. The researcher filed a report.
But reality began to set in, gradually, as the bug remained unaddressed even a full year later.
That researcher came to grips with a reality we see too often in web security, even half a decade later. In 2023, broken access controls are still rampant across industries – more so than ever, actually – in organizations of all shapes and sizes. And they pose reputational, legal and financial risks to the organizations that haven't yet noticed them, and don't do enough to stop them.
The Post Office Data Leak
It was a classic case of an immovable object versus an unstoppable force.
Few organizations represent the ways of old more so than the Postal Service – conservative, carved in stone, incapable of keeping up with the changing times. "She respected her husband," James Joyce wrote over a century ago, of a character in Dubliners, "in the same way as she respected the General Post Office, as something large, secure and fixed." But with annual losses counted in billions, and facing its usual political pressures, the Office took a step towards digital transformation. Thus birthed Informed Visibility, a service utilizing light internet-of-things technologies to provide businesses with real-time tracking information for their mail campaigns. An initiative that stumbled right out of the gate.
Informed Visibility's API logic was leaking the real-time data it was collecting, and that was just part of the issue. An authorization flaw in the API could've allowed any ill-intentioned user on usps.com to retrieve account information – usernames, phone numbers, email addresses, you name it – from any other user. The unauthorized user also could have requested changes to any of those account details.
And it only got worse from there. As Brian Krebs reported at the time, "Many of the API’s features accepted ‘wildcard’ search parameters, meaning they could be made to return all records for a given data set without the need to search for specific terms. "Such a flaw would've come in handy for miscreants looking to scrape large amounts of personal data at once, to use in future attacks or sell on the dark web. They also would've been helped by the fact that "in cases where multiple accounts shared a common data element — such as a street address — using the API to search for one specific data element often brought up multiple records."
Notably, exploiting the Informed Visibility authorization flaw would've required no special hacking tools, or any advanced knowledge beyond how to view and edit ordinary browser data.
Over a year after that anonymous security researcher reported the bug to USPS, they reported it to Krebs, prompting USPS to finally deploy a patch in late 2018.
The Scale of the Problem
In the last decade, more and more organizations have been expanding and adjusting to newer and more complex technologies. But when something expands – imagine, for instance, a net, or water hardening into ice – it leaves holes behind. In web applications the holes, more often than anything else, have been broken access controls. These holes have grown so prevalent that stories like USPS' are no longer exceptions, but the norm.
Perhaps there was no better demonstration than what happened at First American Financial – a six billion dollar title insurance corporation. Shortly after a researcher uncovered that USPS was leaking 60 million user records, in Washington state, a real estate developer named Ben Shoval came upon a similar discovery in FirstAm's website. The difference was that Shoval had no technical cyber security experience to speak of. The vulnerability he discovered was so fundamental, so blatantly obvious that he'd found it by total accident, no technical expertise required.
For background: title insurance companies traffick in large amounts of documentation containing real-estate buyers and sellers' personal information – social security numbers, driver's licenses and any other personal or business information that might pertain to a deal. Someone like Shoval could've accessed documents related to one of his dealings via firstam.com, at a special domain associated with it.
However, Shoval was also able to view other people's documentation, merely by changing a digit in the URL. It was all so simple.
Just imagine, for simplicity's sake, that you could view a document associated with your mortgage at
www.firstam.com/doc/000001289. By merely changing the last digit in the link –
www.firstam.com/doc/000001288 – you could view a different document, whether or not it related to your mortgage or somebody else's. At 000001287 a different document, at 000032494 another – you could go all the way back to document 000000075, reflecting a real estate transaction from 2003, without any authorization required.
In other words, the website had no access control in place to speak of. As a result, the site was leaking around 885 million documents.
It seems remarkable but, again, this was part of a pattern. One government organization was leaking 14 million user records due to the same exact kind of flaw. Same story for Fiserv, a multi-billion-dollar fintech company, whose missing access controls affected hundreds of partner banks' websites and their millions of customers. LifeLock, an identity protection company, allowed the same basic oversight to leak millions of their customers' email addresses.
Not one of these leaks would've required any special hacking skills or tools to exploit.
In the same year all of these stories occurred, The Open Web Application Security Project (OWASP) released its semi-annual top ten list of the most common and most critical security risks to web applications. Broken access control made the list, at the number five spot. In case it wasn't already obvious that many organizations were demonstrating the same kind of weakness.
But even all this hardly compared with what was to come.
Why Broken Access is Worse Than Ever
Organizations used to run large, monolithic applications from servers they hosted "on-premises." This paradigm may have been inflexible, cumbersome, and costly, but it was also simple. Interface, data, and business logic – the entire codebase, including any rules and roadblocks of authorization – were all in one place.
Monoliths broke into tiers, and then microservices. There was a real benefit to handling each application function as its own service, independent of one another. This led to greater efficiency across the board, seamless scaling, and cost savings.
But large organizations today have hundreds, even thousands of microservices deployed at one time – giant webs of bespoke APIs talking to one another over the cloud. What happens if different services have their own way of handling authorization? As you can imagine, it gets messy.
So by the time OWASP released its next, most recent top ten in 2021, it didn't take a keen eye to notice what changed. Broken access controls hadn't just stayed on the list, but moved all the way up to the top spot. The authors of the report had discovered 318,000 instances of broken access vulnerabilities in their new dataset – "more occurrences in applications than any other category."
What to Do
Whether because of the movies, or because it makes for the best news, we tend to envision computer hacking as a grand endeavor – something carried out by nation-state APTs, with special cyber weaponry, green 0s and 1s scrolling past black screens. But the most common web security vulnerability is far less dramatic than that, and far less laborious to pull off. It arises from the basic editing of a URL, or an already authenticated user simply ending up somewhere they shouldn't.
In their 2021 report, OWASP lays out a series of steps organizations can take to identify and mitigate broken access controls, such as denying by default any non-public resources, logging and alerting when access control failures arise, and implementing a unified access control system across an entire application.
This last point is the most crucial. When authorization is as micro- as all of the services it engages with, it risks being just as diverse and potentially incongruous as they all are. The substance expands, and it leaves holes behind. A centralized solution solves that, providing both security and simplicity.
As applications have evolved – today sporting more diversity, functionality, and complexity than ever – the cyber attack surface has widened proportionately. But while the media and discourse around web security tends to focus on the most dramatic vulnerabilities, it's the most ordinary that pose the greatest threat.
Today, broken access controls are the world's common source of application security failures. They tend to be comparatively simple – one wayward digit in a URL, or an insufficiently fine-tuned API – which, perhaps, makes them easier to overlook. But the risk in allowing users to act outside of their intended permissions is as great as with any other kind of cyber failure, with potential for both reputational and financial consequences for organizations and their users alike.
Proper consideration and hygiene around access controls is necessary for the wellbeing of any organization with any kind of internet footprint, and it requires only a minor shift in approach.
If you are evaluating your access control solution, Aserto is here to help. Go here to book time to speak with an engineer about your needs.