Lately I've been paying a lot of attention to issues related to data protection, and I've been wondering how companies are adapting to the changes new guidelines that the LGPD has been bringing since August 2020.
I then decided to explore the security of a website, with the goal of understanding how difficult it would be to find a security flaw, and to my surprise, it did not take 5 minutes to have access to a very serious flaw.
In this article I will tell a little about how I found this flaw that could lead to a data leak and even penalty by law for the company. Remembering that this exploit had a clear objective and no ill intentions, soon afterwards the company was communicated in order to deal in a correct way with the error.
How did I find the error?
When I talk about exploitation, some people may be in doubt about what it means. Basically, it is a series of actions and code analysis that allows you to understand architecture and also find errors like this security error.
In this exploration I used a simple software to search for APIs called Insomnia. In it it is possible to interact with APIs, without very advanced techniques.
With the software installed on my computer, I started testing the API's of a certain site. Starting from the principle of information exchange, since it is the basic way to test the security of a site, and where there is a greater volume of exchange is usually through the newsletter, so I signed up for the site.
Soon after I finished my registration, I received the first email validation trigger, through an exposed API.
I accessed the documentation of the platform the site is hosted on and understood how this API works on a site. With this, I discovered that the email search was open within the code, giving me access to the following api:
/api/dataentities/NS/search?_where=email is not null&_fields=email
With this simple information I was able to access the data of all the people who signed up for the brand's newsletter. I was surprised, because I imagined that it would be more difficult and elaborate to find a serious error like this.
Just as it was easy to find this error, the fix is also quick by blocking this API.
How to avoid data leakage on your website?
Considering LGPDIn the event that a company is the victim of a data leak, the responsibility lies entirely with the company. In these cases, it can be treated with a warning or a fine of 2% on the turnover, depending on the case, the activity can be suspended by the Justice.
To avoiding security breaches and data leakageIt is necessary to have a technical team that does security tests periodically to find flaws and correct errors. Keep in mind that the more systems involved, the greater the communication between them, increasing the chances of a security breach. It is up to your security architect to understand how your site is working, so that you don't run the risk of compromising your clients and your brand.
If you want to dig deeper into the subject and understand how LGPD impacts your business, access our e-book "A guide to LGPD".
Keep an eye on your site's security! Talk to one of our consultants about the projects we carry out to help clients with data leakage.