News: 1718948304

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Coding error in forgotten API blamed for massive data breach

(2024/06/21)


The data breach at Australian telco Optus, which saw over nine million customers' personal information exposed, has been blamed on a coding error that broke API access controls, and was left in place for years.

A Wednesday [1]court filing [PDF] includes an account of the incident penned by Australia's Communications and Media Authority (ACMA), which is using its regulatory powers to pursue Optus.

The Authority alleges that Optus stored customer info and made it accessible to authenticated customers at www.optus.com.au and api.optus.com.au – described as the "Main" and "Target" domains. Retrieving that info required use of APIs that the filing describes as "Target APIs."

[2]

The Target domain existed to segregate API traffic from static content at the Main domain, and had been internet-facing since 2017. The Target APIs were secured by "various access controls designed to prevent unauthorized access."

[3]

[4]

But in 2018 a coding error broke one of those access controls, and meant it didn't work on either the Target or Main domain.

Optus spotted that error … in 2021, when it fixed it – but only for the Main domain.

[5]

The problem was not detected on the Target domain, and therefore wasn't fixed.

The Target domain, however, remained online and internet-facing. The court filing suggests it "was not decommissioned despite a lack of any need for it."

In September 2022, an attacker "was able to bypass access controls and send requests to the Target APIs." Doing so returned customer information for 9.5 million people – and sent Optus and its Singaporean owner, Singtel, into a world of pain.

[6]

The filing offers the following assessment of the incident:

"The cyber attack was not highly sophisticated or one that required advanced skills or proprietary or internal knowledge of Optus's processes or systems. It was carried out through a simple process of trial and error."

There but for the grace of Git goes many a reader, we suspect.

Optus has not disputed the account of the attack.

ACMA is seeking civil penalties in the case. Singtel has [7]advised [PDF] investors it can't determine the quantum of penalties but will defend the case. ®

Get our [8]Tech Resources



[1] https://www.comcourts.gov.au/file/Federal/P/VID429/2024/3981938/event/31836639/document/2300547

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZnVPPXqCXA7nJD2VbyEW7gAAAJQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZnVPPXqCXA7nJD2VbyEW7gAAAJQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZnVPPXqCXA7nJD2VbyEW7gAAAJQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZnVPPXqCXA7nJD2VbyEW7gAAAJQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZnVPPXqCXA7nJD2VbyEW7gAAAJQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://www.singtel.com/content/dam/singtel/investorRelations/stockExchange/2024/Ann_240614_OptusMediaRelease.pdf

[8] https://whitepapers.theregister.com/



Did AI update the software?

Version 1.0

Most software today is very much like an Egyptian pyramid with millions of bricks piled on top of each other, with no structural integrity, but just done by brute force and thousands of slaves. - Alan Kay

But I see AI as simple repeating the error methods that we all created originally when Alan wrote that.

Re: Did AI update the software?

Korev

> But I see AI as simple repeating the error methods

Well Optus Prime is a transformer

Anonymous Coward

Optus always denied everything, including that they even leaked anything.

"api.optus.com.au"

Mike 137

Coding error apart (we can all make mistakes), to call a public facing service "api" anything is the height of idiocy as it invites attack. Nevertheless, one does wonder why the public facing service wasn't pen tested before going live. As indeed one wonders why practically nobody does.

sitta_europea

Rule one in the security playbook:

Make an inventory.

Modern psychology takes completely for granted that behavior and neural
function are perfectly correlated, that one is completely caused by the
other. There is no separate soul or lifeforce to stick a finger into the
brain now and then and make neural cells do what they would not otherwise.
Actually, of course, this is a working assumption only. ... It is quite
conceivable that someday the assumption will have to be rejected. But it
is important also to see that we have not reached that day yet: the working
assumption is a necessary one and there is no real evidence opposed to it.
Our failure to solve a problem so far does not make it insoluble. One cannot
logically be a determinist in physics and biology, and a mystic in psychology.
-- D. O. Hebb, "Organization of Behavior: A Neuropsychological
Theory", 1949