In September 2024, the digital landscape faced a stark reminder of the vulnerabilities lurking within APIs. When Dotpe, a prominent Indian fintech startup known for revolutionizing payment solutions for the food and retail industry, suffered a massive API breach, sensitive customer data and critical business insights were laid bare. This incident not only jeopardized the privacy of millions but also exposed the weaknesses in API security practices that can affect businesses at any scale.
A little bit of back story: What is Dotpe?
Dotpe provides digital payment and point-of-sale (POS) solutions that enable businesses to digitize operations and enhance customer interactions by allowing restaurants and cafes to offer contactless ordering through QR codes, an essential service during the COVID-19 pandemic. Dotpe quickly garnered attention and secured around $90 million in funding. High-profile clients include major chains like Social, Paradise Biryani, and international brands such as Pizza Hut and Starbucks.
However, this rapid growth came with a critical oversight—an unsecured API.
The Breach: What Happened?
It all started when the hacker, who goes by the name of “pea bee” on Twitter, visited a restaurant near his house. He ordered some drinks for himself using the QR code placed on his table.
He was expecting an OTP or some other form of authentication from the restaurant’s POS system, but to his surprise, he didn’t get any, and his order was on his table in less than 5 minutes.
That triggered him to study the QR ordering flow from his laptop, which revealed a glaring security flaw: Dotpe’s public API lacked essential authentication measures, leaving sensitive data exposed for anyone with basic technical knowledge to access.
Using just his browser’s developer tools, the hacker uncovered multiple vulnerabilities within Dotpe’s API, highlighting a significant oversight in security protocols.
The exposed APIs allowed unauthorized access to a wide range of sensitive data, including:
- Real-Time Order Information: Hackers could view ongoing and past orders at various restaurants in real-time, exposing customer choices and preferences.
- Customer Personal Data: By manipulating API parameters, hackers retrieved personal details such as names, phone numbers, and order histories from other diners.
- Critical Business Insights: Hackers analyzed revenue, popular menu items, and historical order data, revealing sensitive financial information that could be exploited.
This breach left 37,529 restaurants and cafes vulnerable, including notable names that relied on Dotpe’s digital payment solutions.
Here’s a Twitter thread to understand the timeline of all the events that triggered this breach, what happened after that, and more.
The Core Issue: No API Authentication
The primary cause of the breach was the lack of API authentication. Dotpe’s public APIs, intended to support business operations like order tracking and insights generation, had no security checks to ensure authorized access. Without these safeguards, APIs become easy targets for malicious actors.
API authentication is a fundamental security requirement in today's API-driven landscape. Its absence led to hackers gaining what amounted to “admin-level access,” enabling them to:
- View sensitive information like most ordered dishes and customer information.
- Disrupt business operations for restaurants and cafes.
- Harvest data for competitive or malicious uses.
What is API authentication?
API authentication is the process of verifying a client's identity (such as an application, user, or device) attempting to access an API. It ensures that only authorized entities can interact with the API and access its resources.
There are several common methods of API authentication:
- API Keys: A simple way to identify the calling entity by passing a key unique to the user.
- OAuth: A more secure protocol that allows token-based authorization, often used in conjunction with login via external platforms like Google or Facebook.
- Basic Authentication: Uses a username and password for authentication but is considered insecure without HTTPS.
- JWT (JSON Web Tokens): A stateless authentication mechanism that allows secure information transmission as a JSON object.
- Mutual TLS: A method where both client and server authenticate each other via certificates, providing an additional security layer.
Each one has its pros & cons and is used accordingly. For example, API Keys are simple but offer limited security, making them best suited for internal services, whereas OAuth is preferred for third-party integrations because of its enhanced security features.
The Role of API Authentication in Preventing API Breaches
API authentication is crucial in preventing API breaches because only authorized users or applications can access the API. By verifying the client's identity, API authentication blocks unauthorized access to sensitive data or services.
It’s important to note that authentication proves the identity of the client, while authorization determines what that client is allowed to do once authenticated. For example, after authenticating a user, an API may only grant access to specific data or functions based on that user’s role or permissions.
Strong authentication methods, like OAuth or JWT, prevent credential misuse, man-in-the-middle attacks, and API enumeration. If Dotpe had implemented OAuth or JWT, unauthorized access would have been prevented, as only authenticated users with valid tokens could access the API.
Additionally, features like token expiration, key rotation, and encrypted communication (via TLS) minimize the risk of breaches by reducing the chances of stolen credentials being exploited.
Proper API authentication acts as the first line of defense, protecting APIs from attacks and ensuring data security.
How Treblle Could Have Prevented This Disaster
This breach could have been entirely avoided if Dotpe had implemented an API intelligence platform like Treblle. Here’s how Treblle would have made a difference:
1. API Governance
Treblle’s API governance ensures that your APIs are built with security best practices from the ground up. Our automated scoring features would have flagged the lack of authentication during Dotpe’s API development, providing actionable insights to prevent such oversights before they reached production.
2. Observability
Treblle’s API Observability provides real-time insights into the performance and health of your APIs by analyzing 40+ API-specific data points across every single request made to the API. It helps teams detect issues like latency, failed requests, endpoint exploitation (like in the case with Dotpe), and more.
With Treblle, Dotpe would have quickly detected suspicious activity as the hacker attempted to exploit various endpoints.
3. Runtime Security
Treblle’s focus on runtime security continuously scans live APIs for vulnerabilities. It would have identified Dotpe’s missing authentication and other design flaws before exploitation occurred. By alerting teams to issues such as missing tokens and weak encryption, Treblle could have enabled quick remediation of vulnerabilities.
Conclusion: The Imperative of API Security
The Dotpe API breach serves as a critical reminder of the need for robust API security measures. The absence of basic authentication left customer data and business reputations at risk. Security must remain a top priority as APIs increasingly drive operations across industries.
With solutions like Treblle, companies can transform their approach to building, shipping, and governing APIs, ensuring both functionality and security. Treblle’s blend of API governance, observability, and runtime security provides a comprehensive strategy to protect businesses from the devastating impacts of security breaches.
Imagine the potential risks if your business faced a similar breach. Don’t wait for an incident to occur. Explore how Treblle can safeguard your APIs and protect your customers today.