Vulnerability led to personal information of users at stake
According to the report covered by CloudSEK, BeVigil, a security search engine for mobile applications, reported that around 250 of the 13,000 apps use the Razorpay API to facilitate transactions. As a result, it was found that multiple apps were found to be vulnerable to API security issues that could have exposed the payment and personal information of millions of consumers. Out of which approximately 5% of the apps exposed the personal credentials of the customers including payment integration key security and key ID.
Razorpay, which serves around eight million businesses, is not at fault, but app developers are bad at handling their APIs.
The firm explained, “When it comes to payment gateways, an API key is a combination of a key_id and a key_secret that are required to make any API request to the payment service provider. And as part of the integration process, developers accidentally embed the API key in their source code. While developers might be aware of exposing API keys in their mobile apps, they might not be aware of the true impact this has on their entire business ecosystem.”
“CloudSEK has observed that a wide range of companies — both large and small — that cater to millions of users have mobile apps with API keys that are hardcoded in the app packages. These keys could be easily discovered by malicious hackers or competitors who could use them to compromise user data and networks.”
Email addresses, phone numbers, amounts and Transactions IDs, and order and refund details were also exposed in the breach. These APIs are usually integrated into other applications and wallets, CloudSEK said, so threat actors could use the exposed APIs to engage in bulk purchases and then make refunds, sell stolen data on the dark web, and more. Despite the deactivation of all 10 API leaks, CloudSEK urged developers to consider the impacts of leaky APIs early on and set up review processes to prevent them from worsening. That’s because invalidating a payment integration key will prevent an app from using payments.
CloudSEK recommended, “Given the complexities of regenerating API keys, payment providers should design APIs such that, even if the key has not been invalidated, there are options to minimize the permissions and access controls of a given key,” CloudSEK concluded.
“App developers should be given a mechanism to limit what can be done using a key at a granular level as AWS does. AWS has put in place identity and access management (IAM) policies that can be used to configure the permissions of every operation on an S3 bucket. This practice should be more widely adopted to minimize what threat actors can do with exposed API keys.”