Oxeye identifies exploit revealing personal information in online payment services



Oxeye logo

Exploit exploits Jaegar to access sensitive user data

TEL AVIV, TEXAS, ISRAELL, December 20, 2021 /EINPresswire.com/ – Oxeye’s search operations have identified an exploit while trying to create a path using Jaegar, an open source software for trace transactions between distributed services. During his examination, Oxeye discovered that Jaegar did not have a username and password to access user data collected / stored by the open source service instrumentation platform OpenTelemetry. As a result, unauthorized purchases on user accounts were made possible.

Oxeye’s research revealed that Jaeger’s user interface was publicly exposed and did not require credentials to access it. In the Jaeger dashboard, internal and external microservices were visible, as were the connections between microservices. Since many tracing approaches are implemented so that actual API parameters are sent via POST parameters, they are not displayed in Jaeger. But, when the parameters were sent through the GET parameter, they were visible which resulted in the aforementioned security issue.

Oxeye discovered the feat with an online payment service. The issue was reported to the vendor citing a backdoor path through unprotected internet exposure. This could allow the webpage refresh tokens of recently revised pages kept in Jaegar to open access to the user’s personal information. Upon being informed of the exploit, the online payment provider immediately shut down internet access to the identified Jaegar, which resolved the issue.

Additionally, a second identified endpoint that contained sensitive information. Its goal included verifying the refresh token for authenticated users. During the process, the refresh token would be sent to an internal gateway using the GET parameter. After finding refresh tokens from other accounts, the ability to generate an access token and bypass the authentication mechanism was discovered. Then, after examining the cookies, the system could be orchestrated to request a new access token and backdoor from the platform. This issue has also been addressed.

“While initially seeking to show the communication between microservices in these environments, he realized that the payment provider’s platform was exposed through sensitive data presented in the open Jaeger. Thanks to this security flaw, it was possible to connect and authenticate on the platform as another user (which was accomplished several times) ”, commented Ron Vider, CTO and co-founder from Oxeye. “This means that a malicious hacker could easily take advantage of this misconfiguration issue and steal sensitive and PII data from customers. Credit card information as well as sensitive technical data could be used maliciously by using connections between microservices, APIs, etc.

According to the Federal Bureau of Investigation (FBI), victims of online or Internet crime are advised to file a report with the Internet Crime Complaint Center (IC3) as soon as possible. Crime reports are used for investigative and intelligence purposes. Quick reports can also help recover lost funds. Visit ic3.gov for more information, including tips and information on current crime trends.

Since reporting the exploit, the payment provider has removed Jaeger’s dashboard from internet exposure, resolving the potential for unauthorized access. Oxeye, a specialist in cloud native application security testing, will do everything possible to notify application vendors of exploits when they are discovered by the company’s technology platform and research team.

About Oxeye
Oxeye provides a cloud native application security testing solution designed specifically for modern architectures. The company enables customers to identify and resolve the most critical code vulnerabilities in the software development lifecycle, disrupting traditional application security testing (AST) approaches by providing a contextual, effortless solution and comprehensive that ensures that no vulnerable code ever reaches production. Designed for development and AppSec teams, Oxeye helps move security to the left while speeding development cycles, reducing friction, and eliminating risk.

Joe austin
Public relations
+ 18183326166
write us here
Visit us on social networks:
Twitter
LinkedIn



Previous First Online Payment App, HesabPay Provides Online Financial Services In Afghanistan
Next IRC launches an online payment portal