More than 54 million mobile app users of popular transactional and marketing email service providers — Mailgun, MailChimp and Sendgrid – are facing cyber security related risk, according to CloudSEK.
People in the US have downloaded these apps the most, followed by the UK, Spain, Russia, and India, leaving over 54 million mobile app users vulnerable.
CloudSEK’s BeVigil, a security search engine for mobile apps, uncovered about 50 percent of the analyzed (600) apps on the Google play store, leaking API keys of three popular transactional and marketing email service providers; Mailgun, MailChimp, and Sendgrid.
API allows applications to communicate with each other without any human intervention. API key is a special identification used by users, developers, or calling programs to authenticate themselves to an API.
Leaked API keys allow threat actors to perform a variety of unauthorized actions such as sending emails, deleting API keys, and modifying two-factor authentication.
Mailgun provides email API services enabling brands to send, validate, and receive emails through their domain at scale.
API key leak would allow a threat actor to send emails, read emails, get simple mail transfer protocol (SMTP) credentials, get IP address and statistics, allow creating, accessing, and deleting Webhooks and retrieve mailing lists of customers and launch a phishing campaign.
Mailchimp is a transactional email service first introduced in 2001 and later launched as a paid service with an additional freemium option in 2009.
API key leak in Mailchimp would allow a threat actor to read conversations, fetch customer information, expose email lists of multiple campaigns containing personal identifiable information (PII), authorize third-party applications connected to a MailChimp account, manipulate promo codes and start a fake campaign and send emails on behalf of the company.
In the case of SendGrid, a communication platform intended for transactional and marketing emails, an API key leak would allow a hacker to send emails, create API keys, control IP addresses used to access accounts.
APIs integrate new application components into existing architecture. Software developers must avoid embedding API keys into their applications and should follow secure coding and deployment practices, CloudSEK said.