Summary: A recent investigation by CloudSEK’s BeVigil platform uncovered significant vulnerabilities in the API infrastructure of a major diagnostic chain, jeopardizing the personal and medical data of potentially millions of users. The findings highlight unauthorized access to sensitive information due to misconfigured APIs and poorly secured endpoints, allowing easy exploitation. The report emphasizes the urgent need for organizations to rectify these vulnerabilities to protect user data and maintain trust in healthcare systems.
Affected: Major diagnostic chain
Keypoints :
- Exposed JavaScript file contained sensitive API keys and authentication tokens.
- Unauthorized access to personal information including names, addresses, and medical reports.
- Flaws in Admin and Live APIs facilitated exploitation and data breaches.
- Sequential lab numbers enabled access to medical reports for unauthorized individuals.
- Email feature vulnerability allowed potential phishing attacks through customizable messages.
- Consequences include identity theft, healthcare liability, and diminished trust in healthcare systems.