Payment API Exposed Data

Researchers discovered API security flaws impacting several apps, potentially exposing the personal and financial information of millions of consumers.

Around 250 of the 13,000 apps published to its BeVigil “security search engine” for mobile applications utilize the Razorpay API to conduct financial transactions.

Many of the applications exposing API keys have over a million downloads, including those in health and fitness, eCommerce, travel and hospitality, healthcare, and pharma. Here is a list of the applications that are affected.

One of India’s leading steel trading companies
Online grocery app
Nepalekart (Instant Recharge to Nepal): Now remediated
Top education app in south India
Gold merchant
Health app

An API key is a combination of a key_id and a key_secret that are required to make any API request to the payment service provider. During integration process, developers accidentally embed the API key in their source code. While developers might be aware of exposing API keys in their mobile apps, they might not be aware of the true impact this has on their entire business ecosystem. These keys could be easily discovered by malicious hackers or competitors who could use them to compromise user data and networks.

The compromised data might include user information such as phone numbers and email addresses, transaction IDs and amounts, and order and refund details. Malicious actors may utilise the leaked API information to execute mass purchases and subsequently start refunds, sell stolen information on the dark web, and/or conduct social engineering operations such as follow-up phishing campaigns.
All ten of the compromised APIs have now been disabled.

AWS has put in place identity and access management (IAM) policies that can be used to configure the permissions of every operation on an S3 bucket. This practice should be more widely adopted to minimize what threat actors can do with exposed API keys. This should be followed by App developers in order to protect data leakages.