Our team occasionally scans APIs for various customer and research purposes, or in connection with a specific request. As we do this, we sometimes find vulnerabilities from third-party organizations. This article is part of an ongoing series of posts following some API vulnerabilities FireTail researchers have uncovered in the process…
FireTail researcher Viktor Markopoulos discovered that various APIs belonging to a data service were leaking their GitHub repositories, which contained the API backend source codes. In other words, anyone with a basic understanding of APIs and GitHub could steal the source codes and use them maliciously.
Some of these APIs also appeared to be vulnerable to SQL injection, based on his review of the source code.
To date, this vulnerability has not been fixed.