cloud security
Cybersecurity
October 16, 2024

Disclosure: Multiple Vulnerabilities in Granicus eFiling Platform

Researcher Jason Parker found multiple vulnerabilities on Granicus software, used for government solutions and efiling. These API vulnerabilities included lack of proper authorization, escalation of unauthorized user privilege, and more.

Disclosure: Multiple Vulnerabilities in Granicus eFiling Platform

As APIs continue to rise in use, API security becomes more and more of a pressing issue across all industries. In 2024, we are seeing the highest rate of API attacks of all time, and this is only expected to rise.

Jason Parker, a cybersecurity researcher known for uncovering data leaks and vulnerabilities, recently reported on the platform Granicus, on which he found multiple API security vulnerabilities that could lead to data exposure.

Vulnerabilities:

The first and perhaps most glaring vulnerability pertained to exposed API endpoints that, when interacted with correctly, would return sensitive data such as usernames, email addresses, phone numbers and more.

Another vulnerability that raised multiple red flags was the ability to modify certain accounts without additional controls. A lack of proper authorization measures around security meant users could alter the details of other accounts without even notifying them, in certain cases.

Attackers could also prevent users from logging in and accessing their accounts by adjusting controls or creating duplicate accounts with the same usernames.

“This was achievable by manipulating the username during user creation or via the User Details page, leading to login failures for the original user.”

Finally, privilege escalation was possible by registering an organization with a TypeCode that matched a higher-privileged organization’s. Using these TypeCodes, attackers could escalate privileges and access restricted levels of the site.

Conclusion

These issues, which were discovered in late September, have since been resolved by Granicus. However, it is impossible to know how long the user’s information has been exposed and who could have accessed it during this time. Furthermore, it calls into question the API security and broader cybersecurity of the platform and others like it. Lately, we’ve been seeing more and more vulnerabilities like these. 

Keep up with vulnerabilities, breaches and exposures with the FireTail data breach tracker here. And to see how FireTail can help you with your API security posture, schedule a demo or get started with a free trial, today.

Lina Romero

Related posts

FireTail Joins Wiz Integration (WIN) Platform
October 22, 2024

FireTail Joins Wiz Integration (WIN) Platform

Technology Partnership Enables Mutual Customers to Reduce Cloud Risk and Enhance API Security

Read more
Star Health Data Leak: The Call is Coming from Inside the House
October 16, 2024

Star Health Data Leak: The Call is Coming from Inside the House

Star Health suffered a massive data leak via API access. The personal information of millions of victims has been compromised, and worst of all, there may have been an insider who facilitated the breach.

Read more
Ecovacs Hurl Obscenities at Unsuspecting Users
October 15, 2024

Ecovacs Hurl Obscenities at Unsuspecting Users

Ecovac customers in Australia were startled when their vacuums began talking back to them, most notably using racial slurs. This was made possible through remote access and manipulation of the “smart” devices.

Read more

This site uses cookies

By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Got it!