Researchers have recently revealed that millions of consumers had their personal and financial details exposed due to an API security vulnerability that has affected several applications. CloudSEK, a cybersecurity and machine intelligence firm, has stated that around 250 clients have used the Razorpay API to conduct financial transactions out of the 13,000 applications uploaded to their security search engine called “BeVigil”.
The studies have found that about 5% of these users have exposed their payment information, specifically their key ID and key secret. The flaw is mainly because the application developers have mishandled their APIs and are not considered a flaw in Razorpay, which has over 8 million businesses or clients.
The firm explained that a payment gateway’s requirement to make API requests to a payment service provider includes the API key combination of key_id and key_secret.
The developers from their team have accidentally embedded the API key in the source code during the integration process, being unaware of how significant would be the impact of this flaw for the entire business ecosystem.
They added that threat actors or competitors could find the exposed keys and compromise the firm’s sensitive user information and networks. The firm has also warned that user information such as names, phone numbers, email addresses, and transaction IDs and details could be used for illegal activities such as making bulk purchases and then asking for a refund, sell the stolen data on the black market, or use it for phishing scams.
Even though all of the 10 unsafe APIs have already been deactivated, the cybersecurity firm advises developers should be more aware of the impact these kinds of flaws could bring to the business and conduct review processes to avoid future escalations.
The firm has also advised that payment providers must design APIs that can minimize the permissions access controls of a key even if it has not been invalidated, coming from the fact that regenerating API keys is a complex process. They also said that the application developers must be provided with a mechanism that allows them to limit what can be done using a key at a granular level, similar to AWS, so that the threat possibilities against exposed API keys could be minimized.