Nearly 50 online merchants have already been compromised in intrusions exploiting Stripe's legacy application programming interface "api.stripe[.]com/v1/sources" for payment data validation part of an advanced web skimmer campaign that has been underway since August, according to The Hacker News.
TechCrunch reports that APIsec, an API security testing company, had its customers' data and other sensitive information dating back to 2018 inadvertently exposed by a misconfigured internal database, which was immediately secured upon the identification of UpGuard researchers earlier last month.
We get a visit from Tanya Janca to discuss her latest book, Alice and Bob Learn Secure Coding!
Segment Resources:
Tanya's latest book on Amazon
Tanya's previous book, Alice and Bob Learn Application Security on Amazon
Tanya's website, She Hacks Purple
Investigation into the incident, which was initially detected on Dec. 2, revealed that threat actors leveraged a Remote Support SaaS API key to conduct local app account password resets.
Aside from disrupting servers through a deluge of requests to "debug/pprof/heap" and other endpoints, attackers could also exploit Prometheus' "metrics" endpoint to obtain information from internal API endpoints, Docker registries, subdomains, and images that could be leveraged for reconnaissance efforts.
Fast Five
Selected by the SC Media Editorial team every Tuesday.
Sign up now for the top five issues cybersecurity pros need to know this week.
