CarbonTV, a US-based streaming service, left a server with its source code open, risking user safety and the company’s reputation.
The Cybernews research team found a major flaw in CarbonTV’s system. A server hosting platform’s application programming interface (API) was found to be leaking the streaming service’s source code.
According to Cybernews researchers, the source code was leaking due to poor control of access to the .git folder. Usually, access to the folder is given only to a selected few since it contains vital information about any project, such as remote repository address, commit history logs, and other essential metadata.
Founded in 2013, CarbonTV caters to outdoor and rural lifestyle enthusiasts, offering hundreds of shows to a monthly audience of over 10 million viewers. The service has tens of thousands of installations via iOS App, Android, Roku, Samsung Smart TV, Fire Stick, and other platforms.
Major security implications
Cybernews researchers have discovered that the CarbonTV’s server, designed for API access, had a publicly available .git directory, allowing part or, in some cases, complete application source code to be downloaded. Predictably, leaving source code open has major security implications.
The team discovered files no company would like to have publicly exposed, such as internal API documentation, full access credentials, access tokens with full API source code, and part of the app structure.
Threat actors with this level of access would have a field day. The open-to-download API allows one to work with the platform’s ads, videos, and users. In essence, what this means is that hackers could modify content seen on CarbonTV.
Meanwhile, user endpoint access allows downloading, reviewing, and modifying of user data. This means that not only could threat actors access sensitive user data, but they could also change an account password for CarbonTV.
On top of that, the leaking server leaves admin credentials open. Attackers could use this to infiltrate the system unnoticed and figure out ways for further targeted attacks.
“The source code should be protected as much as possible. In a threat actor’s hands, it can result in additional compromises of the company or clients,”Kurt Muhl, senior security consultant at cybersecurity firm TrustedSec, said.
No harm, no foul
The Cybernews team reached out to CarbonTV and disclosed the findings. Even though the company did not immediately respond, the leaking server was closed. Cybernews asked the company for a comment and CarbonTV’s representative said no data was leaked.
“We take cybersecurity risks seriously and immediately researched what information was accessible through the link you provided. We have verified that no customer information or proprietary company information was able to be replicated or viewed,” the company told Cybernews.
According to CarbonTV, the .git configuration referenced by our research team was no longer in use to deliver services to its clients. However, upon learning about the leaky server, the company decommissioned and removed “the outdated servers.”
Inadvertently granting access to source code creates ample opportunities for threat actors. According to Kurt Muhl, senior security consultant at cybersecurity firm TrustedSec, hackers could use this vulnerability to upload malware-infested ads.
“If the ads are being used to populate banners on other websites, it may be possible to upload a malicious ad, maybe an SVG [Scalable Vector Graphics] file with malware, to hook your web browser and use it for mining cryptocurrency. Anyone who would see the ad now has their web browser mining cryptocurrency for the threat actor,” Muhl told Cybernews.
A video, for example, could be modified to deface content threat actors don’t like, and user account information might be sold or used to perform credential stuffing attacks.
Meanwhile, Karim Hijazi, the CEO of cybersecurity company Prevailion, explained that the key risk of unauthorized API source code access is the malware threat users can use it to deploy.
“Due to it being done through what is considered a ‘trusted’ API, the chances of it being overlooked is high as well,” Hijazi told Cybernews.
If a company has its source code compromised, the first thing it should do, Muhl argues, is to test for issues in the production environment and ensure that hidden files and folders are not visible to unauthorized parties.
“The source code should be protected as much as possible. In a threat actor’s hands, it can result in additional compromises of the company or clients,” Muhl said.
More from Cybernews:
Subscribe to our newsletter