Press Release Banner

Cequence Researchers Discover Critical API Security Vulnerability in One of the Largest Food and Drug Retailers’ IT Infrastructure

Vulnerability found by CQ Prime Threat Research team enabled unauthorized users to access and extract sensitive data

SANTA CLARA, Calif. – October 29, 2024 – Cequence Security, a pioneer in API security and bot management, today announced that its CQ Prime Threat Research Team has identified a critical vulnerability within one of the largest food and drug retailers’ IT infrastructure affecting four subdomains. These subdomains inadvertently exposed the actuator endpoint, enabling unauthorized users to access and extract sensitive data, such as root passwords from heap dumps, which offer a snapshot of active objects and potentially sensitive information.

The vulnerability carries a CVSS score of 9.8, signifying the highest possible severity and potential for widespread breaches, underscoring the urgency and importance of its remediation. It was discovered on May 9, 2024, and has since been patched by the retailer’s team with assistance from Cequence.

Exposed Endpoint Provides Backdoor to AppDynamics

The exposed heap dump endpoint included the admin username and password to AppDynamics, a business observability platform that helps organizations monitor and manage the performance of their applications and IT operations. This access allows attackers to extract memory snapshots directly from the server. These snapshots can be analyzed using tools like Visual VM to reveal confidential information, which could then be leveraged to gain unauthorized administrative access to the AppDynamics portal.

With such admin access, malicious actors could:

  • Add and delete employee login access
  • Monitor traffic across all applications, including in-store and online retail activity
  • Create policies to view or exfiltrate sensitive account information, increasing the risk of data breaches
  • Introduce policies that hinder normal operations, disable security measures, or create backdoors for future attacks
  • Obtain valid access tokens without proper authorization, allowing them to impersonate legitimate API clients

“The implications of this exposure are substantial,” said Parth Shukla, Security Engineer at Cequence. “An attacker with access to AppDynamics could potentially monitor all of the retailer’s applications, gaining insights into online orders, customer behavior, and even in-store point-of-sales data. This could expose vast amounts of sensitive information and leave the entire operational landscape vulnerable to scrutiny and manipulation.”

Offensive Research Powered by API Spyder

The CQ Prime Threat Research team detected the vulnerability using red teaming efforts and API Spyder, Cequence’s SaaS-based discovery tool that provides an attacker’s view into an organization’s public-facing resources to identify external API hosts, unauthorized hosting providers, and API-specific security issues.

“It’s our mission to make the world a safer place. That’s why, in addition to defensive research for our customers, we also conduct offensive research to actively seek out vulnerabilities before malicious actors do,” said Randolph Barr, CISO at Cequence. “Our CQ Prime Threat Research Team constantly simulates real-world attacks to uncover and neutralize potential threats. This proactive approach ensures we stay one step ahead, safeguarding our clients and their data.”

Once discovered, a bad actor could potentially allow unauthorized access to administrative functions. This weakness meant that an attacker could bypass the need for a compromised login ID and password, instead gaining the ability to create, update, delete, and modify system operations through their own access credentials.

Additional Resources:

  • Learn more about the vulnerability in our latest blog.
  • Follow us on LinkedIn and X.

About Cequence Security

Cequence, a pioneer in API security and bot management, is the only solution that delivers Unified API Protection (UAP), uniting discovery, compliance, and protection across all internal, external, and third-party APIs to defend against attacks, targeted abuse, and fraud. The flexible deployment model supports SaaS, on-premises, and hybrid installations, and APIs can be onboarded in less than 15 minutes without requiring any app instrumentation, SDK, or JavaScript integration. Cequence solutions scale to handle the most demanding government, Fortune and Global 500 organizations, securing more than 8 billion daily API interactions and protecting more than 3 billion user accounts. To learn more, visit www.cequence.ai.

Media Contact
Katrina Porter
press@cequence.ai