Ensuring the security of a major Indian healthcare company by addressing a misconfigured API leaking sensitive personal and medical information.
A major Indian healthcare company
Healthcare
India
Misconfigured API
Leakage of personal and medical information, including full names, DOB, mobile numbers, addresses, and medical reports, through a misconfigured API
CloudSEK BeVigil discovered a misconfigured API in a JavaScript file associated with a major Indian healthcare company's asset. The exposed API keys and authentication tokens provided unauthenticated access to sensitive endpoints, allowing unauthorized users to access personal and medical information. This included the ability to download medical reports and potentially take over Ayushman Bharat accounts using leaked tokens.
Unauthorized access to personal medical data can result in significant privacy violations, identity theft, and fraud. Healthcare providers may face legal liabilities and reputational damage due to the exposure of patient information. Additionally, patient safety could be compromised if sensitive medical data is accessed or tampered with, leading to incorrect medical treatments
CloudSEK BeVigil promptly identified and secured the misconfigured API, ensuring the exposed data was protected and access was restricted.
Implementation:
Detection:
CloudSEK BeVigil discovered the misconfigured API in a JavaScript file associated with the healthcare company's asset.
Threat Analysis:
• The exposed API keys and authentication tokens provided unauthenticated access to sensitive endpoints, allowing unauthorized users to access personal and medical information.
• The analysis revealed the potential for unauthorized access to ABHA accounts and the ability to download medical reports.
Immediate Actions:
• The healthcare company's infosec team secured the misconfigured API based on CloudSEK advice to prevent further unauthorized access.
• Access controls were implemented to enforce the principle of least privilege, using OAuth 2.0 or API keys for authentication.
• API key rotation and rate-limiting controls were put in place to prevent abuse.
Preventive Measures:
• Role-Based Access Control (RBAC) principles were applied to manage access based on user roles
• Employees were educated on the importance of securing sensitive information and following best practices for API security