Let's pop the hood on the #OptusHack (A thread)
Thanks to people like @Jeremy_Kirk we at least know the domain of the hacked/vulnerable API api.www.optus.com.au
I was digging using two different starting points, which I will break down below 👇
The data referenced in the released sample dump had some very unique identifiers, such as "complexServicesExists", so I wanted to understand if this identifier is referenced anywhere else online
After some digging on GitHub, I identified a single match for a repo named pam-poc (Keep in mind there are over 128 million public repos on GitHub), so that is a very specific match.
I have removed names as I don't want people to think this person or this repo has anything to do with API being vulnerable.

It just might be significant in understanding more about the API and the datasets used by the API.
Anyways, the repo doesn't tell us anything except this project had been related to a project named (Optus OCP) at some point in the past 📅
At this stage, the hacker(s) had not said anything about the specific API targeted, which we later found out to be (api.www.optus.com.au)

Armed with this info, I headed back to GitHub to do some digging.
Once again, out of 128 million repos, only one search result contained a match related to api.www.optus.com.au

Once again, this person is not involved in the hack/vulnerability. They had simply setup some scripts to automatically login to their own Optus account back in 2018
This is where we learn more about the API itself, and we can start to make some assumptions about what specific vulnerability may have been exploited if any.
I don't usually bet (unless I have an advantage).

Still, I'm calling it early and betting that there was an IDOR (Insecure direct object reference) vulnerability in the (api.www.optus.com.au/mcssapi/rp-web… API endpoint.
This API looks like it takes 3 unique parameter values (cust_num, account_num & sub_id) as seen below.
(cust_num) appears to be the Optus Customer Number, (account_num) appears to the Optus Account Number, and (sub_id) the Optus Subscription ID
As with most IDOR vulnerabilities, it's very likely that all the attacker had to do is enumerate one or more of these parameter values (cust_num, account_num & sub_id), which fits with what they are claiming.
I guess we will learn in due time whether the API was open or whether it was just vulnerable to IDOR. If the latter is true, the next question would be, why was it vulnerable?
That's more of a rhetorical question, as I was curious about the API path (api.www.optus.com.au/rp-webapp-9-co…), so I decided to go down that rabbit hole.
I believe the path (/rp-webapp-9-common) has something to do with a product/vendor named Amdocs due to the existence of other non-Optus GitHub repositories using the same path which are related to Amdocs integration(s)
The puzzle starts coming together when you search "amdocs optus" in Google and learn that back in 2008 Optus chose Amdocs Convergent Mediation to facilitate the quick introduction of new service offerings and charging models for data products.
Disclaimer ⚠️

I'm purely shooting in the dark here, just because the path (/rp-webapp-9-common) could be related to Amdocs, and this path WAS a valid path on the api.www.optus.com.au API, this does NOT mean this specific endpoint OR any Amdocs APIs were exploited.
Only time will tell 👀👂

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jamieson Vincenti O'Reilly

Jamieson Vincenti O'Reilly Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(