A security researcher this week detailed how she found an application programming interface (API) flaw in a German student community app that could have exposed the personal information of hundreds of thousands of users.
The developer has patched the vulnerability, but it’s the latest example of security vulnerabilities that can be created in APIs unless application developers take more care in their coding.
That point was made clear in a report released this week by Akamai Technologies, part of its State of the Internet series, which found threat actors are increasingly taking advantage of security gaps in APIs.
“From broken authentication and injection flaws, to simple misconfigurations, there are numerous API security concerns for anyone building an internet-connected application,” Steve Ragan, Akamai security researcher and author of the report, said in a statement.
“API attacks are both under-detected and under-reported when detected. While DDoS attacks and ransomware are both major issues, attacks on APIs don’t receive the same level of attention, in large part because criminals use APIs in ways that lack the splash of a well-executed ransomware attack, but that doesn’t mean they should be ignored.”
APIs are supposed to be versatile, says the report, enabling ease of use and access for both the business and end-user. Most organizations use APIs in some fashion, either internally or externally, for customers or business partners, or a mix of both.
However, sometimes developers don’t get the balance right between ease of use and security.
For example, the report notes that in 2020, Twitter acknowledged that a large number of fake accounts were exploiting its API and matching usernames to phone numbers. The API function was supposed to make it easier for users to find friends, but malicious actors exploited this feature for data enrichment.
In another example, a security researcher this year showed he was able to identify members of closed groups on Facebook by using the social media giant’s API.
More seriously, says the report, criminals are actively seeking access to compromise accounts of the users of the API-based Twilio service. Twilio allows software developers to add the ability to make and receive phone calls, send and receive text messages, and perform other communication functions using its web service APIs. Compromised Twilio accounts could be used for general spamming, passive phishing, targeted phishing, and other fraud.
In February, a researcher showed that all of a group of mobile medical applications with APIs were vulnerable to broken object authorization, allowing personal information of users to be viewed. Nearly 80 per cent of the applications tested had hard-coded API keys (including some that never expire), tokens, private keys, and even hard-coded usernames and passwords as part of their design.
One reason for these mistakes is the rush to get software out the door. The Akamai report quotes a survey done for Veracode last year which said 48 per cent of organizations questioned admitted regularly pushing vulnerable code to market.
The Akamai report recommends these best practices for app developers and infosec pros:
–discover your APIs and track them as you would inventory;
–test them and understand their vulnerabilities. Start by looking for hard-coded keys, logic calls and whether API traffic could be compromised by an impersonation attack;
–leverage existing web application firewall infrastructure, identity management and data protection solutions, and specialized API security tools during the development and launch of an app;
–avoid creating unique policies for every API. Instead create blanket policies that can be reused;
–include stakeholders when developing APIs. That includes not only the development team but also the network, security, identity, risk management, and legal/compliance teams.
The report also says developers can take cues from the Open Web Application Security Project (OWASP) Top 10 Web Application Security Risks.