Actually an nth-party risk--a third-party risk to a third-party vendor.
OpenSea NFT market warns of third-party risk to its API.
Decrypt reports that OpenSea, a large online marketplace for non-fungible tokens (NFTs) has warned users of its API that they should swap their keys. Whether they do so or not, all keys will expire on October 2nd.
Exposure to nth-party risk.
It’s a case of nth-party risk. Bitcoinist reports that on Friday one of OpenSea’s vendors, blockchain data analytics company Nansen, disclosed that one of its own third-party vendors had been compromised. The unnamed vendor had informed Nansen that an unauthorized party had gained admin rights to “an account used to provision customer access to our platform.” About 6.8% of Nansen’s customers were said to have been affected. Thus to OpenSea's customers, it's a case of risk within risk within risk.
The significance of compromised keys.
Secure, uncompromised keys are essential if encryption is to function properly. Jason Kent, Hacker in Residence at Cequence Security, wrote, “Though cryptography often aids in the protection of data in transit and allows for protected data to be read by authorized users, we all know it centers around one understanding, we must protect the key.”
Kent sees systems that permit long-term use of keys as inherently vulnerable to this sort of compromise. “In systems that are automatically used it is often the case that they are set up with long-term access being a priority but, as shown here, this is a poor design. If the data repository is accessible and the keys are compromised a perfect storm exists where the data can be acquired by a malicious 3rd party. Rotating the keys is extremely important, it should happen early and often, long term key storage is how these types of breaches can occur.”
Anjum Ahuja, SR Director, Security Research at Traceable AI, pointed out other issues peculiar to API keys. “API keys provide unrestricted access to the platform, bypassing other security controls like two-factor authentication or CAPTCHA. Moreover, often API keys are unscoped, i.e., they give complete access to all the available APIs. Attackers love abusing APIs as they can rapidly automate and execute their attack before the target can notice and take remedial action.”
Ahuja added, “A well-designed API key should require an explicit scope for specific functions and actions like read or write, an expiry, and preferably an IP-based access control mechanism. OAuth is generally a better authorization mechanism because it implements some of these controls out of the box.”