Salt Security Finds Widespread Elastic Stack API Security Vulnerability that Exposes Customer and System Data
September 2021 by Salt Security
Salt Security released new API threat research from Salt Labs detailing Elastic Injection attacks. The research highlights a widespread API vulnerability that results from the misimplementation of Elastic Stack, a group of open source products that use APIs for critical data aggregation, search, and analytics capabilities. Salt Labs found that nearly every organization using Elastic Stack is affected by this vulnerability, which makes users susceptible to injection attacks. Bad actors can use injection attacks to exfiltrate data and launch denial of service (DoS) events.
“Our latest API security research underscores how prevalent and potentially dangerous API vulnerabilities are. Elastic Stack is widely used and secure, but Salt Labs observed the same architectural design mistakes in almost every environment that uses it,” said Roey Eliyahu, co-founder and CEO, Salt Security. “The Elastic Stack API vulnerability can lead to the exposure of sensitive data that can be used to perpetuate serious fraud and abuse, creating substantial business risk.”
According to the Salt Security State of API Security Report, Q3 2021, API attacks have surged 348% in the last six months. The emergence of exploitable vulnerabilities alongside the proliferation of business-critical APIs expose the significant security gaps that arise from the integration of third-party applications and services. Exploiting the Elastic Stack vulnerability enables any user to extract sensitive customer and system data or create a DoS condition that could render a system unavailable. Salt Labs first identified the exploitable flaws in a large online business-to-consumer (B2C) platform that provides API-based mobile applications and software as a service to millions of global users. Exploits that take advantage of this design weakness can create a cascade of API threats that correspond to common API security problems described in the OWASP API Security Top 10, including:
excessive data exposure
lack of resources and rate limits
susceptibility to injection attacks due to lack of input filtering
Salt Labs researchers were able to show how the impact of the Elastic Stack design implementation flaws worsens significantly when an attacker chains together multiple exploits. To exfiltrate sensitive user and system data, attackers can abuse the lack of authorization between front-end and back-end services to obtain a working user account with basic permission levels, then make educated guesses about the schema of back-end data stores and query for data they aren’t authorized to access. Salt Labs was also able to show how lack of resource limitations can leave an organizations’ integrated back-end services vulnerable to a DoS attack that could render a service entirely unavailable or divert attention away from malicious activity against other applications.
“While not a vulnerability with Elastic Stack itself, the design implementation flaws that Salt Labs observed introduce just as much risk. The specific queries submitted to the Elastic back-end services used to exploit this vulnerability are difficult to test for,” said Michael Isbitski, Technical Evangelist, Salt Security. “This case shows why architecture matters for any API security solution you put in place – you need the ability to capture substantial context about API usage over time. It also shows how critical it is to architect application environments correctly. Every organization should evaluate the API integrations between its systems and applications, since they directly impact the company’s security posture.”
In its research efforts, Salt Labs was able to access extensive sensitive data including account numbers and transaction confirmation numbers. Some of the sensitive data was also private and subject to regulation as defined by GDPR. Attackers could use this data to exercise other functionality available via APIs, including the ability to book new services or cancel existing ones. This information could also be used to perpetuate other types of fraud, including the extortion of funds, identity theft, account takeover (ATO) fraud, and nefarious acts that could result in revenue loss in addition to substantial regulatory penalties and fines.
For more information, the Salt Labs report, API Threat Research: Elastic Injection, provides complete details of the Elastic Injection attack pattern, steps to propagate the attack, and suggested mitigation techniques.