Subscribe to the Salt blog to learn about the latest developments in API Security

Blog Post

Salt Labs

The Dell API Breach: It could have been prevented

Hadar Freehling
May 17, 2024

As you may have seen in the news, a hacker stole 49 million customer records from Dell. The attack wasn’t novel or sophisticated. Instead, the attacker used a business logic flaw and an API to scrape 49 million records from Dell.

How did they do it?  Here is the attack flow.

The attacker registered for an account within the Dell ecosystem to be a reseller/partner. They weren’t going to be. But Dell didn’t perform any checks, and within 48 hours, the attacker had a valid account.

Next, the attacker found an API endpoint that allowed “partners” to input a Dell service tag. The API would then provide them with customer details, such as name, address, phone number, etc.

Since the Dell tag is only seven characters long and alphanumeric, the attacker created a script that would send 5,000 randomly created 7-character strings a minute to the API. With no rate limit or API monitoring, the attacker could harvest over 49 million customer records without anyone detecting this activity.

This attack illustrates why API protection is so complex and why you need a tool like Salt to help. Let's review the attack again, but this time, consider how a few changes and the addition of Salt would have detected and possibly stopped this attack.

Account registration. In API attacks, it is common for the adversary to create an account within the system and use that as the entry point for their reconnaissance and attack.  In Dell’s case, this was not an API problem but a business logic problem. The system that grants supplier/partner access needs to validate and, dare I say it, have a human check to see if the person/company signing up is legitimate.

If Dell had a tool like Salt monitoring their API, this attack would have been detected and thwarted. Here is why. When Salt monitors your API, it uses ML and AI (not just buzzwords; see patent) to create custom templates based on our algorithm that align with the API's functions. Thousands of attributes go into this template. But what makes Salt unique is a second algorithm called “User Intent.” This algorithm learns what normal user behavior is within your application and these APIs.

In this case, Salt would have learned that a typical supplier/partner queries the Service Tag customer lookup API maybe four times a day or maybe four an hour at most. The alarm bells would have been going off as soon as the first 5k request was received.

If you would like to learn more about Salt and how we could provide you with API discovery, governance, and protection, please contact us, schedule a demo, or check out our website.

Tags

Salt Security Blog

Sign up for the Salt Newsletter for the latest resources and blog posts.

November 5, 2024

Eric Schwake
Head of Product Marketing

Industry

API Security: The Non-Negotiable for Modern Transportation

Airlines and transportation companies heavily rely on APIs to handle sensitive data, from customer information to payment details and flight schedules. While crucial for efficient operations, these APIs are also prime cyberattack targets.

Read more

October 31, 2024

Alexandria Nicosia
Social Media Manager

Industry

Securing APIs in Retail: Safeguarding Customer Data

In the fast-paced retail industry, where customer trust and data protection are critical, API security must be a top priority to ensure both reliability and a seamless customer experience, confidence, and trust in digital services.

Read more

October 30, 2024

Eric Schwake
Head of Product Marketing

Customer

Salt Security and Dazz: A Powerful Partnership for API Security

Integrating Salt Security and Dazz provides a robust solution for organizations aiming to enhance their API and application security.

Read more

Download this guide for advice on evaluating key capabilities in API Security

Get the guide
Back