“Connectivity is productivity” has become the mantra of the 21st century, and the huge rise in economic activity and GDP in the internet era proves it. Yet, the more people are connected, the more difficult it is to maintain the apps security.
A case in point is the marketplaces associated with some of the most important business connectivity platforms, like Slack, Salesforce, and others, which are significantly growing their marketplaces to enable easy integrations with additional services. Developed by third parties, the apps in these marketplaces result in platforms being even more useful, enabling users to personalize them and making them more productive, saving the organization time and money.
However, those efficiencies can backfire – some of these marketplace apps’ security level is unclear, and the platforms that allow interaction with those apps don’t necessarily vet them. As a result, hackers could utilize app vulnerabilities to steal organization or personal employee data from the platform.
This lurking danger affects some of the biggest and most well-known platforms. For example, researchers in 2020 discovered a bug in Slack that could allow a hacker to take over accounts automatically by “exploiting an HTTP Request Smuggling bug on a Slack asset to perform a CL. TE-based hijack onto neighboring customer requests.” Using that flaw, researchers said, “An attacker could create a Slack add-on that advertises some great features but also reads channel data.” Slack subsequently fixed the issue and paid the individual who discovered the problem a bug bounty. Yet, that vulnerability could have easily been found by a bad actor.
The problem extends to nearly all platforms that allow third-party applications to interact with
APIs. A 2021 report by the SANS Institute said that poorly configured or insecure interfaces or APIs “are a major concern” and that misconfigured cloud resources – including those accessible by APIs – were responsible for nearly half of all attacks.
The sheer interaction between platforms, devices, and third-party apps could itself also be a source of outages or other issues. According to researchers at Columbia University, “security-oblivious designs of hardware and their interfaces can expose systems to new vulnerabilities.” In Salesforce, for example, third-party applications that rely on the platform’s OAuth protocol could open the door to bad actors because the permissions remain valid for all users unless they are actively halted. Unfortunately, that could apply to the many apps in the platform’s marketplace.
The traditional way to address this issue would be to restrict applications and services until they could be vetted for security. If the platforms aren’t prepared to do that, the burden must fall on organization security teams. However, even if they were to dedicate all of their working hours and resources to that, there is no way they would be able to cover all the territory. In addition, many of these services are constantly being updated, so the work is literally never-ending.
While security teams could restrict access to platforms and applications inside the office, the reality is that in many organizations, employees work part, or even all, of the time remotely and often use personal devices, full of personal apps, to connect to the company networks. In this era of remote work, many companies have also deployed on-prem resources on the cloud – consequently, employees are now able to integrate apps and other services with these corporate networks in ways they could not have while using an office’s on-location network. Read more: https://bit.ly/3M47lup
You can also read this: What Real-Life SaaS Attack Misconfiguration Exploits Can Teach Us