Toyota API Security Data Breach: Unprotected internal endpoint led to privilege escalation

What happened next?

Step 1: Researcher discovered exposed internal endpoint

The researcher examined the app's code and searched for API keys, secret API endpoints, and other relevant information. In the user service function, they stumbled upon generateJWT() function that allows anyone to generate a JWT based on a provided email without the need for a password.

This is API7:2019 Security Misconfiguration categorized as Top 10 vulnerability under OWASP where an internal unprotected vulnerable endpoint was discovered. Akto

The researcher then tested the createJWT API endpoint by sending an HTTP request to it. He discovered that corporate Toyota emails in North America followed a predictable format of firstname.lastname@toyota.com, making it easier to guess a valid email. The researcher searched for Toyota employees in the supply chain and found a potential match, using their names to formulate an email address. 

Finally, the researcher sent the createJWT HTTP request and received a valid JWT.

‍

Step 2: Researcher performed privilege escalation

Next, the researcher escalated to a system administrator account by exploiting an information disclosure vulnerability in the API endpoint named findByEmail that returned information about a user’s account by just providing a valid email. They then elevated their privileges by locating and utilizing a sysadmin's email address. Classic case of privilege escalation!

The researcher could impersonate the system administrator and hence could view sensitive information such as classified documents, project schedules, supplier rankings, and the data of 14,000 users. Not only that, by impersonating the sysadmin, the researcher now had the ability to examine each user's projects, tasks, and surveys, make modifications to user details and delete data.

The most shocking aspect of this breach is that a malicious attacker could have quietly gained access to Toyota's system, copying confidential data without leaving any signs of unauthorized access or data stealing.

This breach highlights the growing importance of API security in today's digital landscape. In this case, the unprotected internal endpoint was a major vulnerability that enabled attackers to escalate their privileges and gain access to sensitive information. It is crucial for organizations to prioritize API security and take below steps to detect, fix and prevent such occurrences:

How to detect data breach? 

1. Maintain a regularly updated inventory of APIs. 

2. If any unauthenticated API with significant capabilities are discovered, remove them from the source code. 

3. Implementing a continuous testing and monitoring tool, such as Akto, can send alerts immediately if a security misconfiguration such as an exposed internal endpoint is detected in this case.

How to fix data breach?

Upon detection of this endpoint, it should be added to the blacklist in the WAF. Collaborate with your development team to restrict access solely for administrators or remove it.

How to prevent the breach?

In certain business cases, such endpoints may be necessary. In these cases, they should be deployed to a separate service and only made accessible through internal access points (e.g. VPN). The ideal solution is to identify and remove this endpoint during code review.

By taking the above steps, organizations can reduce the risk of a security breach and ensure that their APIs are secure and reliable.

Reference:

https://www.bleepingcomputer.com/news/security/researcher-breaches-toyota-supplier-portal-with-info-on-14-000-partners/