September 2, 2022

API with a Cache

Researchers have proven that data stored in a browser's cache can be accessed. Much of this is excess data returned by API call responses.

API with a Cache

Many of the examples we’ve written about so far on this blog and talked about publicly have been about attackers or researchers circumventing authentication protocols. But what if you can bypass those protocols altogether?

Akasa Air is a startup airline based in India, which began operations just a month ago and currently services four cities (Mumbai, Ahmedabad, Bengaluru, and Kochi) with a fifth (Chennai) to be added next week. The website and app, built around APIs, were up for months and it didn’t take long for someone to find a problem, as security researcher Ashutosh Barot found on the date of Akasa’s inaugural flight.

After creating an account on Akasa’s website, Barot searched for his PII (Personally Identifying Information), which he was able to find via an HTTP request. Changing the parameters of the search returned other users’ PII that was leftover in the cache. Access to that information is typically subject to authentication and had some unethical hacker come along, they could have built a database of airline users to initiate phishing attacks among other things.

This comes on the heels of the Indian government tabling their Personal Data Protection Bill earlier this month after pressure from tech giants. Further, according to TechCrunch’s Jagmeet Singh, there are fewer programs among Indian companies to incentivize ethical researchers. Indeed, Barot in his blog post framed his efforts as an attempt to secure Indian cyber space rather than his usual weekends of hunting bug bounties.

Despite all that and despite Akasa’s relative lack of response at the beginning of the enterprise, Barot praised Akasa’s general response in both its swiftness and transparency. Akasa informed both CERT-In, India’s cybersecurity agency, and its customers of the exposure and put out a press release detailing the breach. According to Barot, “This is something new when it comes to security incidents in Indian companies.”

So while we can’t give props to how their app and website were set up to begin with, we can at least acknowledge a proactive response to a leak, contrasted with many a company’s strategy of hiding and denial.