Monday Morning Alert: Suspicious Traffic
At 08:47, our SIEM flagged unusual activity on the customer API – 412 requests in 15 minutes to /v1/users/profile from a single IP. No 429 errors meant rate limits weren't triggered. First thought: "Another marketing team script gone wild."
Reality was worse. The endpoint returned:
- Full names
- Phone numbers
- Password hashes (thankfully bcrypt)
- Order history
- Testing: Mock authorization existed but only checked for HTTP 200 status
- Documentation: Swagger marked the endpoint as "requires JWT" while the code ignored it
- Monitoring: Anomaly alerts for unauthorized requests were only added post-breach
- Implemented mandatory auth checks via pre-commit hooks
- Added SIEM rules for authorized/unauthorized request ratios
- Filed a CVE (yes, we're angry) against the framework that silently swallowed JWT errors
And yes, marketing finally got their dedicated endpoint with restricted data. After three attempts to explain that "we need everything" isn't a security rationale.
We'd dismissed a similar case in last year's report as "not applicable to our stack."
Remediation Steps
Beyond the obvious (hotfix, API audit, user notifications):
- Documentation: Swagger marked the endpoint as "requires JWT" while the code ignored it
...with zero authentication. Just knowing the URL granted access.
How This Passed Code Review
Process failures we identified:
- Testing: Mock authorization existed but only checked for HTTP 200 status