In mobile-first markets, watching video streaming on mobile devices with mobile apps is the norm. Apart from ensuring optimum streaming performance, OTT service providers are also starting to pay attention on safeguarding their viewers online security and privacy when consuming OTT video streams.
In my recent mobile player security assessment, I noticed a media mobile app would make the below REST API call for double checking if the owner of an email address is a registered user of the OTT service or not:
curl -X POST "https://auth.example-ott.com/ws/user/checkEmail.json" \
In this example, if email@example.com being a registered user already, the REST API would return:
At first glance, the API seems rather innocuous, and securely protected by HTTPS. However, in the growing threat of credential stuffing, where malicious hackers are utiliizing automated injection of breached username/password pairs in order to fraudulently gain access to user accounts, such API is obviously being too helpful to attackers, and doing a disservice to the OTT service provider's security. The attackers can now easily enumerate, for example, all known email addresses of famous celebrities, and check if anyone being a registered user of the OTT service. Once confirming a given celebrity, often a highly valuable target, being a registered user, the attacker can then take their time to try breached passwords or brute force their way into the system. We are obviously living in an age in which celebrities' email account can be easily found in the internet, the below is one example from India!
The take away is, REST API relating to user logins must be carefully designed and examined. Akamai can help in the following ways:
- consulting: holistically examining user login REST API designs, in light of prevailing security threats in the internet targeting the OTT industry.
- Rate-limiting of REST APIs: guard against high velocity attacks on REST API queries, with a malicious goal of exhausting the origin server.
- Bot manager: applying machine learning to discern legitimate human generated login traffic, versus bot generated attack traffic.