Leaked API keys of three popular email service providers allowed threat actors to perform various unauthorized actions such as sending emails, accessing mailing lists and personal data, deleting API keys, and modifying two-factor authentication, hence putting 54 million users at risk.
Email marketing companies provide users with various services, like sending, validating, and receiving emails through their domain, creating emails and email campaigns, and tracking the performance of marketing campaigns.
The email service providers use a piece of software called API (Application Programming Interface) to allow their applications to communicate across various platforms without human intervention. An API key is a unique identifier users, developers, or calling programs utilize to authenticate themselves.
CloudSEK’s BeVigil research team uncovered that about 50% of apps on Google Playstore from 600 examined are leaking API keys of three email service providers – MailChimp, Mailgun, and Sendgrid. According to the report, the mentioned platforms are used by such companies as Spotify, Uber, Airbnb, RazorPay, Slack, Reedit, and Stripe. The API key leak could potentially lead to the exploitation of users’ data.
Mailchimp’s users’ private data could be accessed
Mailchimp is one of the most popular email marketing services on the market, with around 14 million users and 600 million emails sent through the platform daily, according to the statistics provided by the company.
According to the report, 29,308,710 Mailchimp users were affected by the discovered API key leak. The highest number of affected users are in the US, followed by the UK and Spain. The API keys could potentially allow a threat actor to read email conversations, accessing the sender’s and receiver’s emails, subject line, and the actual message.
The researchers also managed to obtain information about a specific store’s customers to track their orders and view e-commerce data, including full names, email IDs, shipping addresses, billing addresses, latitude, and longitude. The perpetrators could also fetch the details of all the promo codes used by the MailChimp shops, along with the ability to create new promo codes with any discount rate.
The leak exposed multiple campaign email lists containing clients’ personally identifiable information (PII), such as full names, full residence addresses, email IDs, IP addresses, latitude, and longitude. Researchers revealed that the compromised data included 7.5 million customers’ email lists and 1.3 million store and order data.
The uncovered leak is of particular danger, as API keys could serve in authorizing 3rd party applications connected to a MailChimp account and start a fake campaign or send emails on behalf of the company.
Mailgun’s data could be used for phishing attacks
Mailgun platform provides email API services enabling brands to send, validate, and receive emails through their domain at scale. According to the report, the API leak compromised 6,798,665 Mailgun users’ data. Mainly, the users in the US were affected, followed by Russia and Brazil.
Researchers note that the leak would allow a threat actor to send and read emails sent by the Mailgun customers, fetch all the statistics calculated in hourly, daily, and monthly resolution in the UTC timezone, and retrieve customers’ mailing lists. Also, they were able to find out Simple Mail Transfer Protocol (SMTP) credentials and IP addresses. It causes most concerns, as it could be used to launch a phishing campaign.
SendGrid’s APIs could be used to hijack accounts
SendGrid platform, providing cloud-based email marketing services, was also affected by the leak. 18,143,455 affected users were mainly based in the US, followed by UK and India.
The platform’s customers’ API keys could be used as a tool to send emails on behalf of the clients, significantly increasing the billing. Also, the security loophole would allow threat actors to create API Keys, control IP addresses used to access users’ accounts, and modify two-factor authentication (2FA).
This security issue is dangerous because it enables the perpetrators to add an unlimited amount of malicious IP addresses and even remove legitimate user IP addresses blocking their own access to their accounts.
Keeping APIs safe
CloudSEK has notified the involved companies and the affected apps about the hardcoded API keys. “In modern software architecture, APIs integrate new application components into existing architecture. So its security has become imperative,” say researchers in the report.
The team advises software developers to avoid embedding API keys into their applications. It should follow secure coding and deployment practices, like standardizing review procedures, rotating and hiding keys, and using a vault.