This week, we look into the latest API vulnerabilities in cars, Nagios, and Portainer, as well as different OAuth 2.0 attack scenarios, and the time it takes for attackers to find new API endpoints.
Vulnerabilities and Breaches
Some car owners install hardware GPS tracking devices in their vehicles. These are accessed and managed through mobile apps. Two such apps called iTrack and ProTrack got hacked with about 7,000 and 20,000 users affected respectively. Both of these apps had cloud APIs behind them, had the default password set to 123456, and the API allowed brute force ID enumeration. Attackers could get information on both the car and its owner, such as location, owner name, phone number, address, model, make, IMEI number, etc. With some tracker models, the attackers could have even sent commands to the vehicle, for example, to kill the engine.