Blog, Events & News

BACK TO ALL

Just Eat & Deliveroo pick up the tab for bad password hygiene

By Netacea / 19th Jul 2019

Recent attacks on UK takeaway firms are highlighting the evolving security threat of business logic exploits.

Did you see this headline hit the news a few weeks ago? No? That’s because, despite this statement being an accurate description of events, it wasn’t the angle the media chose when UK takeaway providers, Just Eat and Deliveroo became the targets of a mass credential stuffing attack.

A rising number of big brands are affected by compromised credentials, and tackling the threat requires a fundamental shift in how businesses think about security.

In the instance of Just Eat and Deliveroo, customer accounts were taken over to access credits and fraudulently place food orders, and yet, both food chains stated there was no suggestion of a security breach involving their own data.

How were Just Eat and Deliveroo customer accounts taken over?

Attackers are looking for that sweet, weak spot in a business’s infrastructure, and so must organisations take a fresh approach to application security.

Typically, attackers have tried to exploit weaknesses in an application to execute illegitimate code. For example, SQL injection attacks exploit weaknesses in the application that allow illegitimate commands to be passed to the database and executed in a manner that was not anticipated by the developers. The hacker can then gain access to, or control of underlying systems or data.

The application layer is obviously an important area of defence and businesses must continue to be ever vigilant against new attacks. Yet, application security, for many organisations, is nothing new. In fact, the need for application security is well-known and well resourced. Industry awareness, improved systems and tooling and standards such as PCI/DSS have ensured that most companies have defences in place that will stop most standard attack vectors.

This doesn’t mean that attackers just go away, instead they look for the next weak point; the business logic of your system.

Just Eat & Deliveroo credential stuffing attack


Why does flawed business logic leave businesses vulnerable to attack?

Attacks exploiting weaknesses in the business logic and functionality of an application are becoming increasingly commonplace and are generally underpinned by automation or bot activity.

Business logic exploits

The Just Eat and Deliveroo attacks are good examples of business logic exploitation. The activity used to take over the accounts was ordinary, correct and therefore expected consumer behaviour. However, these users were not accessing the accounts for the purposes that the businesses and developers who implemented the systems intended.

Functionality exploits

The functionality being executed is all valid. Users must be able to track their orders in a relatively frictionless environment, they must also be able to process refunds and there are multiple, valid business reasons for why that refund is applied as credit rather than repaid direct to a credit or debit card.

The attackers simply exploited this functionality in a combination that was never intended, leaving users feeling cheated while Just Eat and Deliveroo lose money hand over fist.

How do you stop business logic exploits?

The latest bot defence products have evolved beyond IP reputation feeds or JavaScript checks to tackle the growing trend for sophisticated bot attacks that target flawed business logic.

Smarter bot management requires technology that can learn standard patterns of user behaviour to quickly and accurately detect when non-standard behaviour occurs, and accurately identify and stop malicious users.

Any organisation with a customer facing system (such as a website, mobile app or API) is vulnerable to business logic exploitation and requires a security solution that identifies and stops these attacks.

Talk to the Netacea team today to find out how our best-of-breed bot management technology protects websites, mobile apps and APIs from malicious attacks such as scraping, credential stuffing and account takeover. Alternatively, read our 3 Step Guide to Better Bot Management to discover what you can be doing to protect your business now.