Open in app

Sign in

Write

Sign in

Sleep
2 min readJun 20, 2024

Information Disclosure through Unsecured API Endpoint on StrideBank’s Locations Page

URL: https://stridebank.com/locations.php?use_json=1&show=&zipcode=&cityname=&stateabbr=

Date Reported: 2024–06–20

Severity: Medium

Bug Type: Information Disclosure

Description: An unsecured API endpoint on the StrideBank website allows unauthorized access to detailed information about ATM and bank branch locations. The endpoint exposes sensitive data in JSON format, including precise latitude and longitude coordinates, which could be used for malicious purposes.

Steps to Reproduce:

  1. Navigate to the following URL: https://stridebank.com/locations.php?use_json=1&show=&zipcode=&cityname=&stateabbr=
  2. The response is a JSON object containing detailed information about StrideBank’s ATM and bank branch locations, including:
  • marker_type (ATM or bank)
  • title (location name)
  • description (address)
  • link (HTML link to view more info)
  • lat (latitude)
  • lng (longitude)

Example of Exposed Data:

{

“places”: [
{
“marker_type”: “atm”,
“title”: “Bartlesville”,
“description”: “1415 SE Washington Blvd”,
“link”: “<a href=\”#atm_60766\”>View Info</a>”,
“lat”: “36.732548”,
“lng”: “-95.935963”
},
{
“marker_type”: “atm”,
“title”: “Blackwell”,
“description”: “102 N. Main St”,
“link”: “<a href=\”#atm_60767\”>View Info</a>”,
“lat”: “36.804504”,
“lng”: “-97.280747”
},

]
}

Potential Impact: The disclosed information can be used for various malicious activities, including but not limited to:

  • Physical security threats to ATMs and bank branches.
  • Planning of social engineering attacks.
  • Geo-targeted phishing campaigns.

Recommended Fix:

  1. Authentication and Authorization: Implement authentication and authorization mechanisms to restrict access to the API endpoint.
  2. Data Minimization: Limit the amount of sensitive information returned by the API. Consider obfuscating or removing precise location data.
  3. Rate Limiting: Apply rate limiting to the API to prevent abuse through automated scripts.

Additional Notes:

  • Ensure that the endpoint follows best security practices to prevent information disclosure.
  • Regularly review and audit API endpoints for potential security vulnerabilities.

Reported By: [Taylor Christian Newsome]

Sleep
Sleep

Written by Sleep

153 Followers
41 Following

https://www.linkedin.com/in/clumsy/ https://sleepthegod.github.io

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams