Salt Security Finds Widespread Elastic Stack API Security Vulnerability that Exposes Customer and System Data
New threat research from the Salt Labs Security research team details Elastic Stack injection exploit that can result in DoS attacks and cascading API threats
September 29, 2021
PRESS RELEASE
PALO ALTO, Calif. – Sept. 29, 2021 – Salt Security, the leading API security company, today released new API threat research from Salt Labs detailing Elastic Injection attacks. The research highlights a widespread API vulnerability that results from the misimplementation of Elastic Stack, a group of open source products that use APIs for critical data aggregation, search, and analytics capabilities. Salt Labs found that nearly every organization using Elastic Stack is affected by this vulnerability, which makes users susceptible to injection attacks. Bad actors can use injection attacks to exfiltrate data and launch denial of service (DoS) events.
“Our latest API security research underscores how prevalent and potentially dangerous API vulnerabilities are. Elastic Stack is widely used and secure, but Salt Labs observed the same architectural design mistakes in almost every environment that uses it,” said Roey Eliyahu, co-founder and CEO, Salt Security. “The Elastic Stack API vulnerability can lead to the exposure of sensitive data that can be used to perpetuate serious fraud and abuse, creating substantial business risk.”
According to the Salt Security State of API Security Report, Q3 2021, API attacks have surged 348% in the last six months. The emergence of exploitable vulnerabilities alongside the proliferation of business-critical APIs expose the significant security gaps that arise from the integration of third-party applications and services. Exploiting the Elastic Stack vulnerability enables any user to extract sensitive customer and system data or create a DoS condition that could render a system unavailable. Salt Labs first identified the exploitable flaws in a large online business-to-consumer (B2C) platform that provides API-based mobile applications and software as a service to millions of global users. Exploits that take advantage of this design weakness can create a cascade of API threats that correspond to common API security problems described in the OWASP API Security Top 10, including:
excessive data exposure
lack of resources and rate limits
security misconfiguration
susceptibility to injection attacks due to lack of input filtering
Salt Labs researchers were able to show how the impact of the Elastic Stack design implementation flaws worsens significantly when an attacker chains together multiple exploits. To exfiltrate sensitive user and system data, attackers can abuse the lack of authorization between front-end and back-end services to obtain a working user account with basic permission levels, then make educated guesses about the schema of back-end data stores and query for data they aren’t authorized to access. Salt Labs was also able to show how lack of resource limitations can leave an organizations’ integrated back-end services vulnerable to a DoS attack that could render a service entirely unavailable or divert attention away from malicious activity against other applications.
“While not a vulnerability with Elastic Stack itself, the design implementation flaws that Salt Labs observed introduce just as much risk. The specific queries submitted to the Elastic back-end services used to exploit this vulnerability are difficult to test for,” said Michael Isbitski, Technical Evangelist, Salt Security. “This case shows why architecture matters for any API security solution you put in place – you need the ability to capture substantial context about API usage over time. It also shows how critical it is to architect application environments correctly. Every organization should evaluate the API integrations between its systems and applications, since they directly impact the company’s security posture.”
In its research efforts, Salt Labs was able to access extensive sensitive data including account numbers and transaction confirmation numbers. Some of the sensitive data was also private and subject to regulation as defined by GDPR. Attackers could use this data to exercise other functionality available via APIs, including the ability to book new services or cancel existing ones. This information could also be used to perpetuate other types of fraud, including the extortion of funds, identity theft, account takeover (ATO) fraud, and nefarious acts that could result in revenue loss in addition to substantial regulatory penalties and fines.
For more information, the Salt Labs report, API Threat Research: Elastic Injection, provides complete details of the Elastic Injection attack pattern, steps to propagate the attack, and suggested mitigation techniques.
To learn more about Salt Security or to request a demo, please visit https://content.salt.security/demo.html.
About Salt Labs
Salt Labs furthers the broader Salt Security mission to enable innovation through APIs. A public forum for publishing research on API vulnerabilities, Salt Labs is dedicated to educating the market on the latest in API threats and security incidents. The Salt Labs security research team focuses on discovering API vulnerabilities in the wild, documenting the tactics of threat actors, and helping organizations avoid or remediate the risk. For more information, please visit: https://salt.security/salt-labs.
About Salt Security
Salt Security protects the APIs that form the core of every modern application. Its API Protection Platform is the industry’s first patented solution to prevent the next generation of API attacks, using machine learning and AI to automatically and continuously identify and protect APIs. Deployed in minutes, the Salt Security platform learns the granular behavior of a company’s APIs and requires no configuration or customization to pinpoint and block API attackers. Salt Security was founded in 2016 by alumni of the Israeli Defense Forces (IDF) and serial entrepreneur executives in the cybersecurity field and is based in Silicon Valley and Israel. For more information, please visit: https://salt.security.
You May Also Like