Bloomberg Credits Agio for API Permissions Detection

During a comprehensive penetration test for one of our enterprise clients, we recently discovered a vulnerability affecting the default installation settings for the Bloomberg Professional Client software—a vulnerability which had the potential to compromise over 300,000 Bloomberg subscribers. If an attacker had successfully exploited this vulnerability, they could have gained local administrative privileges, with full control of the environment a short step away.

Agio worked closely with Bloomberg to ensure specifics of the vulnerability did not fall into the wrong hands; they have been extremely responsive and professional, proactively collaborating with us to address this issue. Bloomberg has since released a software update, remediating the vulnerability, as well as release notes highlighting Agio’s discovery. We also recommend firms verify their users do not have administrative privileges unless specifically intended; orphan administrative accounts could have been created prior to Bloomberg’s software update, and companies will want to ensure no legacy threats remain in their environment. This is a powerful reminder employees are a firm’s front lines, and therefore are potentially the weakest link.

The detection of this vulnerability by our security team is pivotal to changing the way firms conduct security assessments. It’s safe to say at least 1,000 assessments were performed last year, and not one uncovered this vulnerability. Why? Many security firms focus on external surfaces or exposures identified by automated scanning tools. Best of breed tools are important, but at the end of the day you’re only as good as the person doing the work. Agio harnesses these automated tools as a starting point, but it’s our policy to dig deeper, utilizing the keen sense of awareness our engineers have built over years and years of experience. If something piques our interest, it’s for good reason. We’ve always said 360° security is about diligence, expertise, and process first and, only then, technology; our Bloomberg discovery is a perfect example of why we adhere to such a holistic philosophy.

If you have any questions or concerns, please contact Ray Hillen, Agio’s Director of Security Consulting. We’ve got you covered.