"Mobile App Users at Risk as API Keys of Email Marketing Services Exposed"

Security researchers used CloudSEK's BeVigil security search engine to analyze 600 apps on the Google Play store and found that 50% were leaking application programming interface (API) keys of three popular transactional and marketing email service providers.  The providers included Mailgun, MailChimp, and SendGrid. CloudSEK has notified all involved entities and affected apps about the hardcoded API keys.  The researchers noted that the leaked API keys allow threat actors to perform various unauthorized actions, such as sending emails, deleting API keys, and modifying two-factor authentication (2FA).  The researchers stated that their overall examination of all three providers' data revealed that the USA was the country with the highest number of downloads, followed by the UK, Spain, Russia, and India, leaving over 54 million mobile app users vulnerable.  MailGun provides email API services, enabling brands to send, validate and receive emails through their domain at scale.  The researchers noted that, in this case, an API key leak could allow threat actors to send and read emails, get Simple Mail Transfer Protocol (SMTP) credentials, IP addresses, and statistics, as well as retrieve mailing lists of customers in order to launch phishing campaigns.  CloudSEK said that 35% of the analyzed packages contained a valid Mailgun key embedded in their android code, and 132 domains were configured with the valid keys.  MailChimp is a transactional email service first introduced in 2001 and later launched as a paid service with an additional freemium option in 2009.  In this case, the researchers noted that an API key leak would allow threat actors to read conversations, fetch customer information, expose email lists of multiple campaigns containing PII, start fake email campaigns and manipulate promotional codes.  The research also noted that threat actors could authorize third-party applications connected to a MailChimp account.  The researchers highlighted that of a total of 319 identified API keys, 28% were found to be valid, and of those, 12 keys allowed read email access.  Finally, SendGrid is a communication platform intended for transactional and marketing emails.  It provides cloud-based services to assist businesses with shipping notifications, friend requests, sign-up confirmations, email newsletters, etc.  The researchers stated that an API leak would allow a threat actor to send emails, create API keys and control IP addresses used to access accounts.  The researchers found that of 319 API keys, 128 were found to be valid, and of those, 121 could allow threat actors to send emails using SendGrid, 65 could allow threat actors to delete API keys, and 42 could allow the modification of 2FA.  The researchers stated that software developers must avoid embedding API keys into their applications and should follow "secure coding and deployment practices like standardize review procedures, rotate keys, hide keys and use vault."

Infosecurity reports: "Mobile App Users at Risk as API Keys of Email Marketing Services Exposed"