Prevent Data Leaks Caused by Web Applications – eScan

- Advertisment -
- Advertisement -

Security Researcher Elliot Alderson has discovered a huge leak of Aadhaar numbers from Indane’s website as well as  app. The leak has not just put Aadhaar number of 6.7 million people at stake but also their personal details.

Data breaches like these do not necessarily translate into a complicated attack by hackers, they may be simple attacks attributed to configuration errors or unpatched systems or coding error. However, when the same issues are discovered by Security Researchers, who put in efforts to find a way into the system and following the processes laid down for responsible disclosure, then these are termed as bugs/vulnerabilities.

Organizations lately have been hiring researchers to find vulnerabilities in their networks/systems with the objective to ensure that their systems are protected and decrease the footprint of the attack surface that may otherwise allow easy access to the hackers.

The existence of vulnerabilities in Web Applications, pose a greater risk to the integrity of the entire system, while mobility being the new mantra, we are embracing web-application and are moving towards cloud-based systems at a much greater pace than ever before. Web-Applications viz, ERP, CRM, Emails are a conduit to the data which is essential for the functioning of an organization and unlike their stand-alone/networked counterparts, have a much larger attack surface.

Search engine caching paradigm

According to eScan, there have been instances when confidential datasets have been cached by Google, which otherwise shouldn’t have been left exposed for the general public to view and for hackers to gain a foothold into the system.

data breach

Caching of datasets by the search engine is an excellent example to the non-existence / therein lack of Authentication and Access Management, which is an inherent requirement when data is being served. The recent leak which was exposed by the French Researcher “Elliot Alderson” was cached by Google’s Search Engine, furthermore, this cached dataset was devoid of authentication would have allowed anyone with scripting knowledge to automate the data-mining tasks on the actual urls. Presently, as per our observation, the erring URIs has been taken down by Indane.

Prevent Data Leaks Caused by Web Applications – eScan

Could this have been averted?

Dynamic Application Security Testing facilitates organizations to test their web-based applications/web-sites for the existence of vulnerabilities viz. XSS, CSRF, SQLi, LFI / RFI, furthermore, pages which are supposed to be accessible after authentication are also tested for vulnerabilities which may allow users to gain access to the other resources served by the application.

In this case, Unauthenticated API Endpoints were solely responsible for allowing anyone with the knowledge of using Google Search Engine to gain access to the datasets, which otherwise should have been protected.

DAST Solutions also facilitate organizations to discover such vulnerable end-points not just by crawling the web-application by also by querying and analyzing the results of the search engines.

The need of the hour for all organizations which handle sensitive data should conduct regular DAST audits of their web-applications.

H2S Media Team
H2S is a group of tech enthusiasts those are passionate about latest technology developments. They always like to solve own technical problems and share the same solution with others through this Website.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest Posts

How to run Chrome extensions on Microsoft Edge Chromium browser

It is long since we know about Microsoft Edge, which is Microsoft's endeavour to dominate the market of browsers....

How to get dark mode on WhatsApp to keep eyes stress free

WhatsApp keeps adding new features to the app, and most features turn out to be useful for us, except...

73% of software developers willing to invest Rs 10-20k per year for upskilling

The rapid development in the technology area is compelling the firms and developers to gear up their technology skills...

Sony accidentally confirmed a massive News leak on PS5

The PlayStation 5 launch is just around the corner. Also, the rumours are about an upcoming meeting of Sony...
- Advertisement -

Horizon: Zero Dawn is Coming to PC, all about its release

There is news coming up from the insider sources that Sony is already working on their project to release...

WhatsApp Dark Mode is available for Android users, test it now!

Finally, to save the oil of eye lamps especially for those continuously do chats on WhatsApp, Dark Mode is...

- Advertisment -
- Advertisement -

You might also likeRELATED
Recommended to you