Toyota API Security Data Breach: Unprotected internal endpoint led to privilege escalation
Learn about Toyota API security Breach: Unprotected internal endpoint led to privilege escalation.
Jaydev Ahire
4 min read
Toyota Data Breach: What happened?
A security researcher discovered a breach in Toyota's Global Supplier Preparation Information Management System (GSPIMS), which allows Toyota’s employees and suppliers to access and manage the company's global supply chain remotely.
Shockingly, the researcher could freely access a vast amount of confidential documents, internal projects, supplier information, and other sensitive data. The researcher responsibly reported the issue to Toyota on November 3, 2022, and Toyota confirmed that the issue was resolved by November 23, 2022.
Breach Breakdown:
Toyota’s GSPIMS application is built using the Angular JavaScript framework. It utilizes specific routes and functions to control user access to different pages. The researcher discovered that by altering the JavaScript code for these functions to always return "true" values, they could gain unrestricted access to the app. Below image describes this:
Despite gaining access to the app, the researcher could not view any data as they were not authenticated by the app.
What happened next?
Step 1: Researcher discovered exposed internal endpoint
The researcher examined the app's code and searched for API keys, secret API endpoints, and other relevant information. In the user service function, they stumbled upon generateJWT() function that allows anyone to generate a JWT based on a provided email without the need for a password.
This is API7:2019 Security Misconfiguration categorized as Top 10 vulnerability under OWASP where an internal unprotected vulnerable endpoint was discovered. Akto
The researcher then tested the createJWT API endpoint by sending an HTTP request to it. He discovered that corporate Toyota emails in North America followed a predictable format of firstname.lastname@toyota.com, making it easier to guess a valid email. The researcher searched for Toyota employees in the supply chain and found a potential match, using their names to formulate an email address.
Finally, the researcher sent the createJWT HTTP request and received a valid JWT.
Step 2: Researcher performed privilege escalation
Next, the researcher escalated to a system administrator account by exploiting an information disclosure vulnerability in the API endpoint named findByEmail that returned information about a user’s account by just providing a valid email. They then elevated their privileges by locating and utilizing a sysadmin's email address. Classic case of privilege escalation!
The researcher could impersonate the system administrator and hence could view sensitive information such as classified documents, project schedules, supplier rankings, and the data of 14,000 users. Not only that, by impersonating the sysadmin, the researcher now had the ability to examine each user's projects, tasks, and surveys, make modifications to user details and delete data.
The most shocking aspect of this breach is that a malicious attacker could have quietly gained access to Toyota's system, copying confidential data without leaving any signs of unauthorized access or data stealing.
This breach highlights the growing importance of API security in today's digital landscape. In this case, the unprotected internal endpoint was a major vulnerability that enabled attackers to escalate their privileges and gain access to sensitive information. It is crucial for organizations to prioritize API security and take below steps to detect, fix and prevent such occurrences:
How to detect data breach?
Maintain a regularly updated inventory of APIs.
If any unauthenticated API with significant capabilities are discovered, remove them from the source code.
Implementing a continuous testing and monitoring tool, such as Akto, can send alerts immediately if a security misconfiguration such as an exposed internal endpoint is detected in this case.
How to fix data breach?
Upon detection of this endpoint, it should be added to the blacklist in the WAF. Collaborate with your development team to restrict access solely for administrators or remove it.
How to prevent the breach?
In certain business cases, such endpoints may be necessary. In these cases, they should be deployed to a separate service and only made accessible through internal access points (e.g. VPN). The ideal solution is to identify and remove this endpoint during code review.
By taking the above steps, organizations can reduce the risk of a security breach and ensure that their APIs are secure and reliable.
Reference:
Keep reading
API Security
8 minutes
Security Information and Event Management (SIEM)
SIEM aggregates and analyzes security data across an organization to detect, monitor, and respond to potential threats in real time.
News
8 mins
Akto Recognized as a High Performer in G2’s Fall 2024 Reports for API Security and DAST
We’re proud to announce that Akto has been named a High Performer in both the API Security and Dynamic Application Security Testing (DAST) in G2’s Fall 2024 reports.
Product updates
5 minutes
Introducing Akto Code: Automated API Discovery from source Code
Akto Code is the new addition to Akto's API Discovery suite, complementing our existing capabilities for traffic source analysis in production and lower environments.