CloudSEK Payment API Vulnerabilities
Reading Time: 2 minutes

Millions of users’ personal information and payment information have been compromised due to CloudSEK payment API vulnerabilities.

According to CloudSEK, nearly 13,000 apps were uploaded to its BeVigil “security search engine” for mobile applications. Around 250 of these use Razorpay API to facilitate financial transactions. Approximately 5% of these were unfortunately exposed to their payment integration key ID and key secret.

The flaw is due to the mishandling of API by app developers, rather than in the Razorpay app which serves nearly eight million businesses.

BeVigil in a statement said, “When it comes to payment gateways, an API key is a combination of a key_id and a key_secret that are required to make any API request to the payment service provider. And as part of the integration process, developers accidentally embed the API key in their source code. While developers might be aware of exposing API keys in their mobile apps, they might not be aware of the true impact this has on their entire business ecosystem.”

The company further said, it caters to a wide range of large and small companies that cater to millions of users with mobile apps API keys that are hardcoded in the app packages. These keys can easily be tracked by bad actors or competitors leading to misusing them to compromise user data and networks.

The data exposed in this fashion can include useful information like phone numbers and email addresses, transaction IDs and amounts, and order and refund details. CloudSEK further clarified since the same apps are usually integrated with other applications.

The API information can be misused by bad actors to make bulk purchases and then initiate refunds, sell stolen data on the dark web. They can also use it to launch social engineering attacks such as follow-on phishing attempts, the firm claimed.

The company has deactivated all 10 of the leaky APIs and urged developers to understand the potential impact of such issues early on and set up review processes to prevent them from escalating.
Invalidating a payment integration key will stop an app from working, avoiding further user friction and financial losses.

CloudSEK finally said, “Given the complexities of regenerating API keys, payment providers should design APIs such that, even if the key has not been invalidated, there are options to minimize the permissions and access controls of a given key”

“App developers should be given a mechanism to limit what can be done using a key at a granular level as AWS does. AWS has put in place identity and access management (IAM) policies that can be used to configure the permissions of every operation on an S3 bucket. This practice should be more widely adopted to minimize what threat actors can do with exposed API keys.”

Related Articles:

Europol Busts A Major Crime Ring more Than 100 Online Fraudsters Arrested
Malware Attack on the Aviation Sector Went Unnoticed for 2 Years
Malware Attack on the Aviation Sector Went Unnoticed for 2 Years