15/06/2023
Anatomy of the Bykea Hack - An Analysis on API Key Leaks and Their Impact
------------------------------------------------------------------------------
On June 13th 2023, a wave of unexpected notifications flooded the screens of Bykea application. Here is my analysis on what transpired:
Bykea was using a third party tool named "One Signal" to dispatch push notifications services to mobile applications. A Security misconfiguration led to the leakage of an API key into the production environment. The key was subsequently misused by the threat actor to push notifications. API Keys are similar to passwords for applications, they provide authentication to users requesting service. Having API Keys exposed in the production environment is similar to Leaving your house keys under the doormat.
In the prima-facie, this incident appears not to have involved access to Bykea's infrastructure but instead exploited an external integration with a third party. Hence, it is highly unlikely that any customer data was compromised. Since, Bykea is not PCI-DSS compliant and hence does not store debit/credit card details and those are kept with merchant processor.
At strategic level, a robust process should be in place to prevent any code from being moved to production without sign-off from the security team. On the tactical level, ensure that automated security scanning tools to identify security misconfiguration such as hardcoded keys are made part of the CI/CD pipeline. Additionally, checks like dynamic testing should follow. It is also advisable for companies should also consider rotating API keys.
In today's interconnected world, organizations often rely on multiple third-party applications and integrations to deliver their services. Unfortunately, this sometimes leads to security checks being rushed or overlooked, as businesses push for rapid releases, as evidenced by this incident. Hence, it's important to strike balance between the speed of deployment and maintaining robust security measures.
