Business Information Leak - Analytics
Need
Prevent unauthorized access to business analytics through exposed API key
Context
• Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
• Usage of Plug (1.12.0 and above) for building composable web applications in Elixir
Description
1. Non compliant code
defmodule MyApp.AnalyticsController do
use MyApp.Web, :controller
def show(conn, %{"apiKey" => apiKey}) do
if apiKey == "exposed_api_key" do
analytics = MyApp.Analytics.get()
render(conn, "show.json", analytics: analytics)
end...This insecure code exposes an API key in a Swagger URL that could be used to access business analytics. This can lead to a serious information breach, where unauthorized users could gain access to valuable business insights.
2. Steps
• API keys should never be exposed in the code or URLs.
• Use secure methods to store and access API keys, such as environment variables or secure configuration files.
• Implement access controls to ensure that only authorized personnel can access the analytics.
3. Secure code example
defmodule MyApp.AnalyticsController do
use MyApp.Web, :controller
def show(conn, %{"apiKey" => apiKey}) do
if apiKey == System.get_env("API_KEY") and authorized?(conn) do
analytics = MyApp.Analytics.get()
render(conn, "show.json", analytics: analytics)
send_resp(conn, :unauthorized, "")...The secure code compares the provided API key with a securely stored key, and only provides analytics if the user is authorized. This ensures that the API key and business analytics are not exposed to unauthorized users.
References
• 228. Business Information Leak - Analytics