Researcher Jason Parker found multiple vulnerabilities on Granicus software, used for government solutions and efiling. These API vulnerabilities included lack of proper authorization, escalation of unauthorized user privilege, and more.
As APIs continue to rise in use, API security becomes more and more of a pressing issue across all industries. In 2024, we are seeing the highest rate of API attacks of all time, and this is only expected to rise.
Jason Parker, a cybersecurity researcher known for uncovering data leaks and vulnerabilities, recently reported on the platform Granicus, on which he found multiple API security vulnerabilities that could lead to data exposure.
The first and perhaps most glaring vulnerability pertained to exposed API endpoints that, when interacted with correctly, would return sensitive data such as usernames, email addresses, phone numbers and more.
Another vulnerability that raised multiple red flags was the ability to modify certain accounts without additional controls. A lack of proper authorization measures around security meant users could alter the details of other accounts without even notifying them, in certain cases.
Attackers could also prevent users from logging in and accessing their accounts by adjusting controls or creating duplicate accounts with the same usernames.
“This was achievable by manipulating the username during user creation or via the User Details page, leading to login failures for the original user.”
Finally, privilege escalation was possible by registering an organization with a TypeCode that matched a higher-privileged organization’s. Using these TypeCodes, attackers could escalate privileges and access restricted levels of the site.
These issues, which were discovered in late September, have since been resolved by Granicus. However, it is impossible to know how long the user’s information has been exposed and who could have accessed it during this time. Furthermore, it calls into question the API security and broader cybersecurity of the platform and others like it. Lately, we’ve been seeing more and more vulnerabilities like these.
Keep up with vulnerabilities, breaches and exposures with the FireTail data breach tracker here. And to see how FireTail can help you with your API security posture, schedule a demo or get started with a free trial, today.