Hundreds of Android apps distributed through the Google Play Store have leaked application programming interface (API) keys, putting users at risk of identity theft (opens in a new tab ) and other threats.
The risks were discovered by cybersecurity researchers at CloudSEK, who used the company's BeVigil security search engine to analyze 600 apps on the Play Store.
Overall, the team found that half (50%) were leaking API keys from the top three email marketing and transaction service providers, putting users at risk of fraud or scam.
MailChimp, SendGrid, MailGun
CloudSEK discovered that the apps leaked the MailChimp, SendGrid, and Mailgun APIs, allowing potential threat actors to send email, remove API keys, and even modify multi-factor authentication (MFA). CloudSEK has since notified app developers of its findings.
Between them, the apps have been downloaded by 54 million people, who are now at risk. Most of the potential victims are in the United States, with the United Kingdom, Spain, Russia, and India also accounting for a significant portion.
“In modern software architecture, APIs integrate new application components into the existing architecture. Therefore, its security has become imperative,” commented CloudSEK. "Software developers should avoid embedding API keys in their applications and should follow secure coding and deployment practices, such as standardizing review procedures, key rotation, key masking, and use from the vault."
Of the three services, MailChimp is arguably the most prominent, and by disclosing MailChimp API keys, app developers would allow threat actors to read email conversations, extract customer data, get on mailing lists, mail, run your own email campaigns, and manipulate promotional codes.
Also, hackers could allow third-party apps to connect to a MailChimp account. In total, the researchers identified 319 API keys, of which more than a quarter (28%) are valid. Added twelve keys allowed to read emails.
MailGun's API key leaks also allow hackers to send and read email, as well as obtain Simple Mail Transfer Protocol (SMTP) credentials, IP addresses, and various statistics. In addition, they could also filter customer mailing lists.
SendGrid, on the other hand, is a communications platform that helps businesses send marketing and transactional emails through a cloud-based email delivery platform. With an API leak, hackers could send emails, create API keys, and control the IP addresses used to access accounts.
Via: Infosecurity Magazine (opens in a new tab)