API Flaw Exposes Elastic Stack Users to Data Theft and DoS
Security researchers have disclosed a serious and wide-ranging API vulnerability stemming from the incorrect implementation of Elastic Stack, which could create serious business risk for customers.
Elastic Stack is a popular collection of open source search, analytics and data aggregation products, including Elasticsearch.
Salt Security claimed that nearly every provider customer is affected by the vulnerability — which relates to design implementation flaws rather than a bug in Elastic Stack code itself.
Its Salt Labs team first identified the issue in a large online B2C platform providing API-based mobile applications and SaaS offerings to millions of global users.
“The APIs contained a design flaw, and Elastic Stack was configured with implicit trust of front-end services by back-end services. As a result, we were able to query for unauthorized customer and system data,” Salt Labs said in a blog post.
“We were further able to demonstrate additional flaws that took advantage of this Elastic Stack design weakness to create a cascade of API threats, many of which correspond indirectly to items described in the OWASP API Security Top 10.”
These include excessive data exposure, security misconfiguration, exposure to injection attacks due to lack of input filtering, and lack of resources and rate limits.
Salt Labs said the data it could access from the B2C firm via exploitation of the flaw included customer account numbers and GDPR-regulated information.
The injection attacks made possible by the vulnerability could enable threat actors to launch DoS attacks, as well as data theft, it claimed.
“Our latest API security research underscores how prevalent and potentially dangerous API vulnerabilities are. Elastic Stack is widely used and secure, but Salt Labs observed the same architectural design mistakes in almost every environment that uses it,” said Roey Eliyahu, co-founder and CEO of Salt Security.
“The Elastic Stack API vulnerability can lead to the exposure of sensitive data that can be used to perpetuate serious fraud and abuse, creating substantial business risk.”
According to recent research from the company, global API attacks have soared by 348% in the past six months.