SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image

Life360 breach exposes 442,000 users: experts warn of API vulnerabilities

Wed, 7th Aug 2024

A significant data breach has transpired involving Life360, a family safety and location-sharing platform. The personal information of over 442,519 users has been exposed due to a security flaw within the company's API systems. The breach, which affected names, phone numbers, and email addresses, has raised numerous concerns about the robustness of API security practices and the potential consequences for affected users.

Jason Kent, Hacker in Residence at Cequence, an API protection solutions provider, elaborated on the mechanics of the attack. "This is a fairly interesting attack in that it took the attackers looking at the response data on the mobile app channel showed sensitive data beyond what was needed for the transaction to complete. This illustrates the need to test APIs for things like sensitive data in the responses." Kent further explained that the attack method involved sending thousands of requests to retrieve usernames and then scraping the returned data. Simple instrumentation on the login API could have detected the leakage of sensitive data.

Kent also warned that having access to the emails, names, and phone numbers of Life360 customers could provide valuable information for further attacks. Potential risks include smishing attempts, login validation attempts to exploit password reuse, and possibly Multi-Factor Authentication (MFA) fatigue campaigns. He advised users to avoid reusing passwords and to employ secure password vaults to manage their credentials effectively.

The company has confirmed that the API flaw has since been rectified. However, in an unsettling development, attackers exploited another vulnerability to breach Tile, a customer support platform that Life360 acquired in recent years. This breach involved stealing additional sensitive information such as names, addresses, phone numbers, email addresses, and device identification numbers. Following the breach, Life360 faced an extortion attempt, underscoring the multi-faceted risks of such cyber incidents.

Commenting on the pervasive nature of API usage in modern applications, Katie Paxton-Fear, an API Researcher for Traceable AI, stated, "Almost every mobile app uses an API on the backend, that's because it can really cut down on development time and make it easy to make Android and iOS apps with the same functionality." Paxton-Fear illustrated that developers often start with more permissive API settings, gradually narrowing them as the application's development progresses. In the Life360 case, it appears that whilst sensitive data like phone numbers were not visible on the app's interface, they remained accessible via the API.

"This bug essentially allowed an attacker (who could see what their phone was sending to the API) to put in a valid email for an account, and get out the victim's name and their full unverified phone number or a partial verified number," she explained. She highlighted one of the critical challenges in securing APIs, noting that API attacks can be hard to detect because they target legitimate functionalities, leading to high traffic that does not appear inherently malicious.

The implications of this breach are complex and far-reaching. Users of Life360 are urged to remain vigilant and monitor any suspicious activities or communications. Companies are being reminded of the critical importance of constantly reviewing and testing their APIs to ensure that sensitive data is protected and only necessary information is exposed during transactions. Additionally, robust measures need to be implemented to detect unusual traffic patterns that may indicate an ongoing attack.

As digital platforms increasingly rely on APIs to facilitate seamless communication and functionality across apps and devices, ensuring stringent security protocols and proactive threat detection measures is paramount. This breach serves as a cautionary tale, highlighting the potentially severe consequences of overlooked vulnerabilities in our interconnected technological landscape.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X