Incidents of API Calls to Website's Backend

Wednesday October 23, 2019   |   News & Updates   |   Leave a Comment

SocialEngine Team has recently shared about "attempts to access client and expert data via specific queries" on their Blog. As a responsible and ethical organization, we wanted to share the background of this with the SocialEngine community.

Our Team has developed the website using a hybrid stack of Laravel & React.js. At the time of rollout of this website to production, our Team was given access to the Live API before migration of data from the old website to the new API, so that we could debug and fix issues of the new website. The API had dummy data, and the authentication token that was used with the API call was also generated at that time. Our Team had used Postman for testing the APIs.

Moving forward to late September 2019, one of our developers was assigned the same system that was used for developing and debugging APIs of the website, and on which Postman had been used rarely since website launch. In Postman, the history of past API hits are visible prominently in the left column of the application interface, and the developer negligently hit the APIs several times.

It is worth noting though that the Authentication Token in those API calls was an expired token, from the time the website had dummy data, and so none of those API hits would have returned any data. To prevent any such API calls from being made again, we have cleared Postman history from all the systems that were used in website development.

We thank the SocialEngine Team for patiently working with us on this.