Cox Communications Patches Newly Discovered Critical API Bug
Security Researcher Says Flaw Came From 700 Exposed APIs Belonging to CoxA newly discovered critical vulnerability in Cox Communications' backend infrastructure exposed millions of business customer devices to potential attacks that would allow threat actors to take over accounts and access sensitive data.
Independent researcher Sam Curry, who first identified the flaw affecting one of the largest broadband providers in the United States, said in a Monday blog post that the vulnerability stemmed from 700 exposed APIs belonging to Cox Communications. Many of those APIs included administrative functionalities that could have allowed attackers to steal personal identifiable information, modify millions of modems, and execute commands, Curry said.
"Each API suffered from the same permission issue," he said, adding that the flaw effectively gave threat actors the permissions of an internet service provider support team. "Replaying HTTP requests repeatedly would allow an attacker to run unauthorized commands."
The flaw resulted from an apparent error in the Spring framework code, which is commonly used for developing web applications and handling API requests. The coding error led to a series of vulnerabilities that affected proxy API requests sent to Cox Communications' dedicated backend system, while front-end files were served differently.
Curry provided a timeline as to how he first discovered the since-patched vulnerability, beginning two years ago when "something very strange happened" as he was working from his home network.
"I was exploiting a blind XXE vulnerability that required an external HTTP server to smuggle out files, so I spun up an AWS box and ran a simple Python webserver to receive the traffic from the vulnerable server," he said. "Somewhere, between my home network and the AWS box, someone had intercepted and replayed my HTTP traffic."
Outside parties should not have been able to see Curry's traffic, he said, since there was no intermediary between the two systems he was using to exploit the vulnerability.
"My immediate thought was that my computer had been hacked and that the hacker was actively monitoring my traffic," Curry said.
The researcher quickly managed to determine that Amazon Web Services had not been compromised after using an alternative method that did not use one of the company's devices. He later found the IP address that was replaying his network traffic had been involved in an incident a year prior where it was used "to host phishing infrastructure that targeted a South American cybersecurity company."
Cox Communications in a statement sent to Information Security Media Group thanked Curry for identifying the vulnerability.
"Once we learned of the vulnerability, we worked quickly to resolve it," said Christine Woodhouse, Cox's director of corporate communications. "We can confirm that no customer data was compromised, nor any customer devices affected."