A critical vulnerability in web application firewalls (WAFs) used by some of the world’s largest companies, including JPMorgan Chase, Visa, and Intel, has exposed thousands of web applications to potential cyberattacks. The misconfiguration flaw, affecting nearly 40% of Fortune 100 companies, allows attackers to bypass WAF protections, leaving backend systems open to ransomware, denial-of-service attacks, and full system compromise.
The research mapped 8,000 domains to 36,000 backend servers directly exposed to the internet. This misconfiguration facilitates attacks ranging from distributed denial-of-service (DDoS) attacks to full system compromises, which could lead to ransomware or data breaches.
Cyber experts conducted a test attack that demonstrated the severity of this issue. They disrupted a domain owned by Berkshire Hathaway’s subsidiary BHHC for 20 seconds, showing how easily attackers could exploit the flaw.
The vulnerability arises from a systemic architectural blindspot in CDN/WAF solutions. Modern WAF providers often double as content delivery networks (CDNs), routing traffic from edge servers to backend systems. For security, backend servers should validate that incoming traffic originates solely from CDN. However, a failure to implement this validation leaves these servers exposed.
Attackers can exploit this flaw by mapping external domains to backend IP addresses, a process that researchers highlight as alarmingly straightforward.
The ramifications are staggering. With over 20% of Fortune 1000 companies affected, this vulnerability presents an enormous risk to business-critical applications. Financial and operational damages from such attacks are significant:
- A typical DDoS attack, lasting an average of 68 minutes, costs general victims approximately $408,000 and escalates to $1.8 million for financial organisations.
- For high-transaction businesses, like a major pizza chain identified in the research, even a one-hour outage could cost nearly $1.9 million in lost sales.
High-profile branches such as the Capital One incident, which exploited a similar WAF bypass, underscore the catastrophic potential of such vulnerabilities.
In the News: PRC-based hackers are trying to break into US telcos