It started as a well-intentioned plan to help businesses access real-time tracking data to provide better service to their customers. The “Informed Visibility System” by the USPS started off with great intentions, but unfortunately rolled out the red carpet for cyberciminals, exposing sensitive data on 60 million users.
The business team found a need and created a solution. Engineering implemented the query logic into the system. Security reviewed and approved the changes as they were rolled out.
Unfortunately, they missed a basic tenet of security, access control.
With a simple manipulation of a URL, any user logged in to usps.com could query the system for account details belonging to any other users, including email address, username, phone number, and street address. No special hacking tools needed, just a web browser. Even more disturbing was the ability to use wildcards in the search parameters, allowing access to all records for a given data set without the need to search for a specific term. Want the email addresses and phone numbers for every USPS user in your zip code? No problem!
Exploiting these vulnerabilities could conceivably allow cybercriminals to sign up for credit cards with someone else’s name and use the tracking system to find out when the credit cards were placed in the mailbox, letting them know when to swing by the mailbox and grab the card. A simple business logic flaw opened up 60 million people to potential fraud, spam, and phishing attacks.
The Lurking Threat
This cautionary tale illustrates the hidden dangers lurking in business logic flaws. Because of the difficulty in identifying them, the lack of tooling, and the uniqueness of each business, even code reviewed and approved by security can harbor these costly vulnerabilities.
Unlike a traditional security vulnerability, business logic flaws have ongoing business impact, not just potential security risks. It allows continuous siphoning of money and data until found and fixed.
Unfortunately, common security testing tools miss most business logic vulnerabilities. Static and dynamic scanners lack the application awareness and context to analyze custom proprietary logic. They are programmed to find generic coding anti-patterns and known bug types like SQL injection and cross-site scripting. They can’t infer what data handling or access rules the developer intended to enforce in multi-step processes.
Securing business logic requires approximating how an expert developer assesses code. This involves reconstructing data flows, control flows, and context to identify violations of the programmer’s intent. Equally important is providing specific guidance to safely remediate findings. Unlike typical bugs, logic flaws resist one-off fixes. Clean solutions involve strengthening input validation, adding missing access controls, improving error handling, and adding behavior monitoring.
For companies with software as a core component of their business model, flaws in application logic are the most pressing source of preventable business risk.
How we solve
Business logic flaws are tricky. Unlike standard security vulnerabilities, the detection and remediation options aren’t as easy to spot or easy to fix. While a buffer overflow vulnerability can be easily detected with code analysis and fixed with patching, a business logic flaw requires deeper analysis and understanding of your application and could require a complete rewrite of code to remediate. This is where Qwiet AI can help.
Qwiet’s appsec experts work with your team to understand your applications and their intended functionality. After careful analysis, Qwiet can help to create and implement custom policies around your code to ensure that your application functions as intended without any unintended logic flaws and continuously monitor the application with Qwiet AI’s application security testing platform.
Don’t allow flawed logic to drain business value. Get started with a demo showing how our platform finds and fixes costly logic vulnerabilities.