Let's pop the hood on the #OptusHack (A thread) 
Thanks to people like @Jeremy_Kirk we at least know the domain of the hacked/vulnerable API api.www.optus.com.au
I was digging using two different starting points, which I will break down below 👇
The data referenced in the released sample dump had some very unique identifiers, such as "complexServicesExists", so I wanted to understand if this identifier is referenced anywhere else online
After some digging on GitHub, I identified a single match for a repo named pam-poc (Keep in mind there are over 128 million public repos on GitHub), so that is a very specific match.
I have removed names as I don't want people to think this person or this repo has anything to do with API being vulnerable.
It just might be significant in understanding more about the API and the datasets used by the API.
It just might be significant in understanding more about the API and the datasets used by the API.
Anyways, the repo doesn't tell us anything except this project had been related to a project named (Optus OCP) at some point in the past 📅
At this stage, the hacker(s) had not said anything about the specific API targeted, which we later found out to be (api.www.optus.com.au)
Armed with this info, I headed back to GitHub to do some digging.
Armed with this info, I headed back to GitHub to do some digging.
Once again, out of 128 million repos, only one search result contained a match related to api.www.optus.com.au
Once again, this person is not involved in the hack/vulnerability. They had simply setup some scripts to automatically login to their own Optus account back in 2018
Once again, this person is not involved in the hack/vulnerability. They had simply setup some scripts to automatically login to their own Optus account back in 2018
This is where we learn more about the API itself, and we can start to make some assumptions about what specific vulnerability may have been exploited if any.
I don't usually bet (unless I have an advantage).
Still, I'm calling it early and betting that there was an IDOR (Insecure direct object reference) vulnerability in the (api.www.optus.com.au/mcssapi/rp-web… API endpoint.
Still, I'm calling it early and betting that there was an IDOR (Insecure direct object reference) vulnerability in the (api.www.optus.com.au/mcssapi/rp-web… API endpoint.
This API looks like it takes 3 unique parameter values (cust_num, account_num & sub_id) as seen below.
(cust_num) appears to be the Optus Customer Number, (account_num) appears to the Optus Account Number, and (sub_id) the Optus Subscription ID
As with most IDOR vulnerabilities, it's very likely that all the attacker had to do is enumerate one or more of these parameter values (cust_num, account_num & sub_id), which fits with what they are claiming.
I guess we will learn in due time whether the API was open or whether it was just vulnerable to IDOR. If the latter is true, the next question would be, why was it vulnerable?
That's more of a rhetorical question, as I was curious about the API path (api.www.optus.com.au/rp-webapp-9-co…), so I decided to go down that rabbit hole.
I believe the path (/rp-webapp-9-common) has something to do with a product/vendor named Amdocs due to the existence of other non-Optus GitHub repositories using the same path which are related to Amdocs integration(s)
The puzzle starts coming together when you search "amdocs optus" in Google and learn that back in 2008 Optus chose Amdocs Convergent Mediation to facilitate the quick introduction of new service offerings and charging models for data products.
Disclaimer ⚠️
I'm purely shooting in the dark here, just because the path (/rp-webapp-9-common) could be related to Amdocs, and this path WAS a valid path on the api.www.optus.com.au API, this does NOT mean this specific endpoint OR any Amdocs APIs were exploited.
I'm purely shooting in the dark here, just because the path (/rp-webapp-9-common) could be related to Amdocs, and this path WAS a valid path on the api.www.optus.com.au API, this does NOT mean this specific endpoint OR any Amdocs APIs were exploited.
Only time will tell 👀👂
• • •
Missing some Tweet in this thread? You can try to
force a refresh
