API security
September 2, 2022

API with a Cache

Researchers have proven that data stored in a browser's cache can be accessed. Much of this is excess data returned by API call responses.

API with a Cache

Many of the examples we’ve written about so far on this blog and talked about publicly have been about attackers or researchers circumventing authentication protocols. But what if you can bypass those protocols altogether?

Akasa Air is a startup airline based in India, which began operations just a month ago and currently services four cities (Mumbai, Ahmedabad, Bengaluru, and Kochi) with a fifth (Chennai) to be added next week. The website and app, built around APIs, were up for months and it didn’t take long for someone to find a problem, as security researcher Ashutosh Barot found on the date of Akasa’s inaugural flight.

After creating an account on Akasa’s website, Barot searched for his PII (Personally Identifying Information), which he was able to find via an HTTP request. Changing the parameters of the search returned other users’ PII that was leftover in the cache. Access to that information is typically subject to authentication and had some unethical hacker come along, they could have built a database of airline users to initiate phishing attacks among other things.

This comes on the heels of the Indian government tabling their Personal Data Protection Bill earlier this month after pressure from tech giants. Further, according to TechCrunch’s Jagmeet Singh, there are fewer programs among Indian companies to incentivize ethical researchers. Indeed, Barot in his blog post framed his efforts as an attempt to secure Indian cyber space rather than his usual weekends of hunting bug bounties.

Despite all that and despite Akasa’s relative lack of response at the beginning of the enterprise, Barot praised Akasa’s general response in both its swiftness and transparency. Akasa informed both CERT-In, India’s cybersecurity agency, and its customers of the exposure and put out a press release detailing the breach. According to Barot, “This is something new when it comes to security incidents in Indian companies.”

So while we can’t give props to how their app and website were set up to begin with, we can at least acknowledge a proactive response to a leak, contrasted with many a company’s strategy of hiding and denial.

Ian Armas Foster

Writer

Related posts

APIs and Competitive Advantage in the Travel Sector
April 17, 2024

APIs and Competitive Advantage in the Travel Sector

In the travel sector, securing a competitive edge is vital. In a hyperconnected industry, where demand fluctuates, pricing is dynamic and customers have endless options, efficient and well-secured APIs can make a huge difference.

Read more
Revisiting Cambridge Analytica in 2024
April 11, 2024

Revisiting Cambridge Analytica in 2024

The Cambridge Analytica Data Scandal led to the collapse of the company, court cases and massive fines for Meta. It highlighted the massive impact that technology was having on society, politics and democracy. Now, almost a decade later, we take a look at how a poorly configured API started it all.

Read more
I was Wrong about Endpoint Security
April 5, 2024

I was Wrong about Endpoint Security

Based on trends in changing compute architectures, it seemed logical that Endpoint Detection and Response companies would shrink their overall install base. Instead, EDR has evolved into Extended Detection and Response.

Read more

This site uses cookies

By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Got it!