Coding error in forgotten API blamed for massive data breach
- Reference: 1718948304
- News link: https://www.theregister.co.uk/2024/06/21/optus_data_breach_faulty_api/
- Source link:
A Wednesday [1]court filing [PDF] includes an account of the incident penned by Australia's Communications and Media Authority (ACMA), which is using its regulatory powers to pursue Optus.
The Authority alleges that Optus stored customer info and made it accessible to authenticated customers at www.optus.com.au and api.optus.com.au – described as the "Main" and "Target" domains. Retrieving that info required use of APIs that the filing describes as "Target APIs."
[2]
The Target domain existed to segregate API traffic from static content at the Main domain, and had been internet-facing since 2017. The Target APIs were secured by "various access controls designed to prevent unauthorized access."
[3]
[4]
But in 2018 a coding error broke one of those access controls, and meant it didn't work on either the Target or Main domain.
Optus spotted that error … in 2021, when it fixed it – but only for the Main domain.
[5]
The problem was not detected on the Target domain, and therefore wasn't fixed.
The Target domain, however, remained online and internet-facing. The court filing suggests it "was not decommissioned despite a lack of any need for it."
In September 2022, an attacker "was able to bypass access controls and send requests to the Target APIs." Doing so returned customer information for 9.5 million people – and sent Optus and its Singaporean owner, Singtel, into a world of pain.
[6]
The filing offers the following assessment of the incident:
"The cyber attack was not highly sophisticated or one that required advanced skills or proprietary or internal knowledge of Optus's processes or systems. It was carried out through a simple process of trial and error."
There but for the grace of Git goes many a reader, we suspect.
Optus has not disputed the account of the attack.
ACMA is seeking civil penalties in the case. Singtel has [7]advised [PDF] investors it can't determine the quantum of penalties but will defend the case. ®
Get our [8]Tech Resources
[1] https://www.comcourts.gov.au/file/Federal/P/VID429/2024/3981938/event/31836639/document/2300547
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZnVPPXqCXA7nJD2VbyEW7gAAAJQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZnVPPXqCXA7nJD2VbyEW7gAAAJQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZnVPPXqCXA7nJD2VbyEW7gAAAJQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZnVPPXqCXA7nJD2VbyEW7gAAAJQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZnVPPXqCXA7nJD2VbyEW7gAAAJQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.singtel.com/content/dam/singtel/investorRelations/stockExchange/2024/Ann_240614_OptusMediaRelease.pdf
[8] https://whitepapers.theregister.com/
Re: Did AI update the software?
> But I see AI as simple repeating the error methods
Well Optus Prime is a transformer
Optus always denied everything, including that they even leaked anything.
"api.optus.com.au"
Coding error apart (we can all make mistakes), to call a public facing service "api" anything is the height of idiocy as it invites attack. Nevertheless, one does wonder why the public facing service wasn't pen tested before going live. As indeed one wonders why practically nobody does.
Rule one in the security playbook:
Make an inventory.
Did AI update the software?
Most software today is very much like an Egyptian pyramid with millions of bricks piled on top of each other, with no structural integrity, but just done by brute force and thousands of slaves. - Alan Kay
But I see AI as simple repeating the error methods that we all created originally when Alan wrote that.