Major retailer's IT flaw exposes sensitive data, now fixed

Cequence Security has identified a critical vulnerability within the IT infrastructure of one of the largest food and drug retailers, affecting four subdomains.

The issue was discovered by Cequence's CQ Prime Threat Research Team and involves subdomains that exposed the actuator endpoint, allowing unauthorised access to sensitive data, including root passwords from heap dumps. These dumps provide a snapshot of active objects and can contain sensitive information. The vulnerability has been assigned a CVSS score of 9.8, indicating a severe potential for breaches. It was initially discovered on 9 May 2024 and has since been addressed with a patch implemented by the retailer's IT team with assistance from Cequence.

The exposure included access to the admin username and password for AppDynamics, a business observability platform used to monitor application performance. With this access, attackers could extract memory snapshots directly from the server, which could be analysed to uncover confidential information, gaining unauthorised administrative access to AppDynamics.

The potential exploitation of this access could allow malicious actors to add or delete employee login access, monitor application traffic including retail activities, create policies to view or exfiltrate sensitive information, introduce measures that disrupt regular operations, and generate backdoors for further attacks. They could also obtain valid access tokens, impersonating legitimate API clients.

"The implications of this exposure are substantial," said Parth Shukla, Security Engineer at Cequence. "An attacker with access to AppDynamics could potentially monitor all of the retailer's applications, gaining insights into online orders, customer behaviour, and even in-store point-of-sales data. This could expose vast amounts of sensitive information and leave the entire operational landscape vulnerable to scrutiny and manipulation."

The vulnerability was detected using API Spyder, Cequence's discovery tool, which provides an external view of an organisation's public resources. This tool helps identify external API hosts and security issues. Randolph Barr, Chief Information Security Officer at Cequence, commented on their approach, "It's our mission to make the world a safer place. That's why, in addition to defensive research for our customers, we also conduct offensive research to actively seek out vulnerabilities before malicious actors do. Our CQ Prime Threat Research Team constantly simulates real-world attacks to uncover and neutralize potential threats. This proactive approach ensures we stay one step ahead, safeguarding our clients and their data."

This weakness meant that a bad actor could bypass login credentials and perform administrative functions, potentially modifying system operations and impacting security measures significantly.

Cequence, a pioneer in API security and bot management, is the only solution that delivers Unified API Protection (UAP), uniting discovery, compliance, and protection across all internal, external, and third-party APIs to defend against attacks, targeted abuse, and fraud. The flexible deployment model supports SaaS, on-premises, and hybrid installations, and APIs can be onboarded in less than 15 minutes without requiring any app instrumentation, SDK, or JavaScript integration.