{"id":12697,"date":"2022-09-30T06:15:15","date_gmt":"2022-09-29T20:15:15","guid":{"rendered":"https:\/\/terem.tech\/?p=12697"},"modified":"2022-10-07T10:34:11","modified_gmt":"2022-10-06T23:34:11","slug":"optus-api-hack-analysis","status":"publish","type":"post","link":"https:\/\/terem.tech\/optus-api-hack-analysis\/","title":{"rendered":"Optus API Hack – Analysis"},"content":{"rendered":"\n

<\/strong><\/p>\n\n\n\n

The Optus hack is the third biggest breach<\/a> of Australian consumer Personally Identifiable Information (PII) in history, with 9.8m customer records being exposed. <\/p>\n\n\n\n

Optus maintains that the hack was a sophisticated attack, using rotating IP addresses to carry out the attack. <\/p>\n\n\n\n

The Minister For Cyber Security, Clare O\u2019Neil, and the Federal Government have slammed Optus, indicating that their belief is that Optus “left the window open\u201d<\/a>. It\u2019s worth noting that this is a technique that has been in use so long it\u2019s been consumerised into products that do it for you and even into browsers. For example, Brave Browser has a built-in ToR network routing and with about 40 lines of python code you can force new IP address circuits<\/a>. <\/p>\n\n\n\n

Who is right? Sophisticated attack or a gaping hole in security? Let\u2019s look at thoughts from several analysts. While there is an ongoing criminal investigation, some of the details are under wraps, analysts are fairly sure they understand the nature of the breach. <\/p>\n\n\n\n

It is so simple it\u2019s scary.<\/p>\n\n\n\n

Cardinal Sin 1 – Unauthenticated endpoint<\/strong><\/h3>\n\n\n\n

There is some debate over whether the endpoint had authentication at ALL. Journalist Jeremy Kirk talked to the hacker responsible<\/a>. They claimed it was a completely unauthenticated endpoint that they accessed the data through. <\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Optus has since taken the endpoint down so we can no longer validate this fact. If the hacker is correct then Optus had at least one endpoint that was completely devoid of any authentication or authorisation. You could have whipped up a curl script (a simple script that kids learn in school) and have made a request against this endpoint with no login credentials.<\/p>\n\n\n\n

If this is true it wouldn’t be a particularly sophisticated hack. You can\u2019t exactly call it a security breach if you don\u2019t have any security. <\/p>\n\n\n\n

There is some contention over whether or not the endpoint was secure. Some analysts believe that it at least had some kind of cookie based authentication. In code samples of API consumers we can see that cookies are set, but without insight we may never know. <\/p>\n\n\n\n

If we give Optus the benefit of the doubt and assume it was an authenticated endpoint then surely with a secure endpoint there\u2019s no way for this breach to have occurred? Unfortunately, this brings us to the next attack vector.<\/p>\n\n\n\n

Cardinal Sin 2 – Insecure direct object references<\/strong><\/h3>\n\n\n\n

Back in 2007<\/a> OWASP brought the IDOR (Insecure Direct Object References) vulnerability to the forefront of people\u2019s attention by placing it at number 4 in their top 10 most critical risks to web applications. <\/p>\n\n\n\n

What is an IDOR vulnerability? Let\u2019s take a look, we can use Optus as an example (thanks to @onejvo<\/a> for breaking this example<\/a> down for us).<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

This is code pulled from a public github repo that talks to the endpoint in question (the hacker and one other anonymous source confirmed the endpoint with Jeremy Kirk).<\/p>\n\n\n\n

Line 78 defines an endpoint. It looks rather harmless, It has two query string params and an ID as part of its route. <\/p>\n\n\n\n