India has a government ID database known as Aadhaar. It contains personal information on over 1.1 billion of their citizens and includes information that can be easily used for identity theft. This database is used by many government agencies to verify citizens when opening a bank account, buying a SIM card, applying for financial aid, signing up for utilities like electricity and water and more.
A security researcher identified a huge security issue with a state-run utility company called Indane that had access to the Aadhaar API to verify their customers. Unfortunately, that API was publicly accessible. Furthermore, the API had no access controls for proper authentication. A simple hardcoded access token would give anyone direct access to the Aadhaar database, with no rate limiting. The consequence was unfettered access to search for citizen’s unique numbers, and download their personal information.
The Aadhaar tragedy wasn’t a hack. A huge percentage of vulnerabilities in an API program aren’t due to hackers, but to human error and unsuccessful testing methodologies. If Indane had a team dedicated to creating a series of automated tests for their API program, the first item they would have flagged was being able to access the endpoint from outside the system. Then a series of tests against their authentication scheme would have triggered another red flag, since there was only one token and it was hardcoded.
I can’t even say this critical vulnerability is something that only API Fortress would have captured. Any proper testing methodology would have caught these issues during the test creation and setup, let alone the executions. A proper planning phase would find these issues immediately.
Huge data breaches always capture headlines, and when there is a group of hackers involved it is an even more shocking story. What is important to note is that a huge amount of data breaches aren’t due to complex schemes by hackers, bur rather to human error left unchecked, in this case, due to failed API testing. Similarly, Equifax had a lot of these issues, such as using a password, “admin” and sharing passwords in plain text.