For the second time, University ticketing company Get exposed student data by leaving it exposed through an unsecured API; we know the balance of security and convenience can slow down development, but to have the website use a completely unsecure API is unconscionable.

A user on Redit was able to probe the API without any access tokens or other security, giving access to up to 50,000 Australian students names, emails, birthdays and phone numbers.  As the Redit user said:

More worryingly, the service was available without the use of any tokens, meaning it was available to anyone, whether or not they had signed up to Get, and the data seemed to be for ANY user (even if they never signed up, but someone purchased a ticket for them)

As we know bots are constantly scouring the web for available data — these API endpoints would have been easily scrapable by any bot looking for data that includes name and email addresses. While the data seems innocuous at first, phone numbers and potentially birthdays were also included and can give increasingly sophisticated algorithms more power to hack into other systems.

Get did respond quickly and followed a basic escalation process, including adding security to the endpoints, but it looks as if their basic QA process has not included security checks, that is, the app and the API were both designed to use OAuth tokens, but the production copy was somehow running without security. It is also not clear how long this data had been available without security.

This exposes the flaw in traditional architecture where a single gateway can be enabled or disabled allows full access to all the services in the backend.  Security needs to be part of every service and every step of the development process otherwise huge data breaches like this will continue.

More news on this topic can be found here:

Redit: Massive 50K Australian Student Data Breach :(
https://www.reddit.com/r/unsw/comments/d0qzro/massive_50k_australian_student_data_breach/

The Guardian: Data breach may affect 50,000 Australian university students using ‘Get’ app
https://www.theguardian.com/education/2019/sep/10/data-breach-may-affect-50000-australian-university-students-using-get-app

Australian Financial Review: Get data breach leaves 50,000 students vulnerable
https://www.afr.com/technology/get-data-breach-leaves-50-000-students-vulnerable-20190910-p52ppo