Why Public Links Expose Your SaaS Attack Surface


Jan 09, 2024The Hacker NewsSaaS Security / Data Security

Collaboration is a powerful selling point for SaaS applications. Microsoft, Github, Miro, and others promote the collaborative nature of their software applications that allows users to do more.

Links to files, repositories, and boards can be shared with anyone, anywhere. This encourages teamwork that helps create stronger campaigns and projects by encouraging collaboration among employees dispersed across regions and departments.

At the same time, the openness of data SaaS platforms can be problematic. A 2023 survey by the Cloud Security Alliance and Adaptive Shield found that 58% of security incidents over the last two years involved data leakage. Clearly, sharing is good, but data sharing must be put in check. Most SaaS applications have mechanisms to control sharing. These tools are quite effective in ensuring that company resources aren’t open for display on the public web. This article will look at three common data leakage scenarios and recommend best practices for safe sharing.

Learn how to see the files that are publicly shared from your SaaS

Turning Proprietary Code Public

GitHub repositories have a long history of leaking data. These data leaks are usually caused by user error, where the developer accidentally exposes private repositories or an admin changes permissions to facilitate collaboration.

GitHub leaks have impacted major brands, including X (formerly Twitter) whose proprietary code for its platform and internal tools leak onto the internet. GitHub leaks often expose sensitive secrets, including OAuth tokens, API keys, usernames and passwords, encryption keys, and security certificates.

When proprietary code and company secrets leak, it can put business continuity at risk. Securing code within GitHub repositories should be a top priority.

Surprising Risks of Publicly Accessible Calendars

On the surface, publicly shared calendars might not seem to be much of a security risk. Calendars aren’t known for sensitive data. In reality, they contain a treasure trove of information that organizations would not want falling into the hands of cybercriminals.

Calendars contain meeting invitations with videoconference links and passwords. Keeping that information open to the public could result in unwanted or malicious attendees at your meeting. Calendars also include agendas, presentations, and other sensitive materials.

The information from calendars can also be used in phishing or social engineering attacks. For example, if a threat actor with access to Alice’s calendar sees that she has a call with Bob at 3 o’clock, the threat actor can call Bob while posing as Alice’s assistant and request that Bob email some sensitive information before the meeting.

Collaborating with External Service Providers

While SaaS apps simplify working with agencies and other service providers, these collaborations often involve members who come into the project for short periods of time. Unless managed, the shared documents and collaboration boards give everyone working on the project access to the materials for all time.

Project owners will frequently create one user name for the agency or share key files with anyone who has the link. This simplifies administration and may save money in terms of licenses. However, the project owner has ceded control over to who can access and work on the materials.

Anyone within the external team not only has access to proprietary project files but they often retain that access after they leave the company if they remember the username and password. When resources are shared with anyone with a link, they can easily forward the link to their personal email account and access the files whenever they want.

SaaS Attack Surface
Figure 1: Users retain access to shared Google Docs even after the employee who shared the documents has left the company

Discover which configurations are exposing your data to the public.

Best Practices for Safe File Sharing

Sharing resources is an important aspect of business operations. SaaS Security firm Adaptive Shield recommends companies follow these best practices whenever sharing files with external users.

  • Always share files with individual users, and require some form of authentication.
  • Never share via “anyone with the link.” When possible, the admin should disable this capability.
  • When applications allow, add an expiration date to the shared file.
  • Add an expiration date to file-sharing invitations.
  • Remove share permissions from any public document that is no longer being used.

Additionally, organizations should look for a SaaS security tool that can identify publicly shared resources and flag them for remediation. This capability will help companies understand the risk they are taking with publicly shared files and direct them toward securing any files at risk.

Learn how a Resource Inventory can identify all publicly accessible resources.


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link