Researchers discovered a new application programming interface vulnerability that can lead to attacks on Elastic Stack, a group of open source products that use APIs for critical data aggregation, search and analytics capabilities. Nearly every organization using Elastic Stack is affected by the vulnerability, which allows bad actors to exfiltrate data and launch DoS attacks.
The exploitable flaws in a large online B2C platform that provides API-based mobile applications and Saas to millions of global users. Exploits that use this design weakness can be used to create a cascade of API threats that correspond to common API security.
The API threats include excessive data exposure, lack of resources and rate limits, security misconfiguration and susceptibility to injection attacks from a lack of input filtering.
To exfiltrate sensitive user data, attackers can abuse the lack of authorization between frontend and backend services to obtain a working user account with basic permission levels. With this account access, the attackers can then make guesses about the schema of backend data stores and query for data they aren’t authorized to access.
A lack of resource limitations can leave an organizations’ integrated backend services vulnerable to a DoS attack. That could render a service entirely unavailable or divert attention away from the malicious activity against other applications.
While not a vulnerability with Elastic Stack itself, the design implementation flaw poses as a risk. The specific queries submitted to the Elastic backend services used to exploit this vulnerability are difficult to test.
As to the severity, that depends on what the organizations themselves have exposed or allowed in terms of permissions. Customer data getting exposed and DoS attacks do significant material damage to hacked targets. Exploitation of this vulnerability is avoidable but can get remediated quickly.