The API Security Newsletter - Issue 21
Hi Everyone! Welcome to this 21st edition of The API Security Newsletter (and welcome to 2023 - we made it!), as always I welcome any feedback via Twitter DM (https://twitter.com/filipv)
As mentioned in issue 20 of this newsletter, the previous platform I was using for my newsletter, Revue (part of Twitter) is shutting down so I needed to migrate the newsletter to a new home. During the holiday break I played around with some options but ultimatly decided on substack.
Without further ado, on to the news!
If an attacker were able to find vulnerabilities in the API endpoints that vehicle telematics systems used, they could honk the horn, flash the lights, remotely track, lock/unlock, and start/stop vehicles, completely remotely.
At this point, we started a group chat and all began to work with the goal of finding vulnerabilities affecting the automotive industry. Over the next few months, we found as many car-related vulnerabilities as we could. The following writeup details our work exploring the security of telematic systems, automotive APIs, and the infrastructure that supports it.
Why enterprises can’t afford to overlook API security in 2023
Hackers see APIs as an easy target for man-in-the-middle attacks or API key and token theft, to gain access to high-value information including personally identifiable information (PII) and intellectual property (IP).
“APIs are the common thread that connects all devices and microservices; gaining access to the pipeline that carries sought-after information can prove profitable. In today’s drive towards digital transformation, the popularity and use of APIs increases, as does the cyber-risk landscape associated with it,” said Filip Verloy, field CTO EMA at API provider Noname Security.
There are a few reasons that the topic of API security has been popping up more and more as 2022 comes to a close.
Back in July 2021, Gartner predicted that by 2022, application programming interface (API) attacks would become the most frequent attack vector, causing data breaches for enterprise Web applications.
Was the analyst firm right? It's too early to know for sure since OWASP is still tallying the results.
API attacks are back in the news. It turns out the likely ingress point for the Optus breach was a lowly REST API. And someone has leaked all of the data stolen from the Twitter breach — which also involved an API.
Crypto trading service 3Commas confirms massive API key leak from hack
The chief executive of the crypto trading platform 3Commas, Yuriy Sorokin, confirmed Wednesday that a set of 100,000 application programming interface keys published on Twitter by an anonymous user had in fact been obtained from its service.
This announcement followed reports last week that a group of traders had discovered they had become victims of a hack for about $22 million through using 3Commas service.
The service allows users to set up trading bots that automatically execute trades on their behalf on cryptocurrency exchanges. Users link their 3Commas accounts to the service using API keys with the exchange to automate trades, and if those keys are stolen, it opens up their accounts to potential attack. That’s because with access to the API key, an attacker can execute trades, move currency and more.
DoD Identifies API Security as Critical for Zero Trust
For the first time Application Protocol Interfaces (APIs) were addressed as a key control point throughout multiple tenants. There are recurring requirements for agencies to control APIs by establishing and enforcing API standards and governance over API development and monitoring. What’s interesting is the fact that API visibility and control are called out in multiple sections as well as a dedicated section 6.6 titled API Standardization. As we at Noname have articulated before, API security is now an integral part of a Zero Trust strategy, and DoD’s roadmap supports that assertion.
Noname Security, API Security Company, Joins the OpenAPI Initiative
The OpenAPI Initiative is announcing today that Noname Security has joined as a new member.
According to recent research commissioned by Noname Security, API Security Trends in 2022, 76% of those surveyed reported they had experienced an API security incident in the past 12 months. Noname covers API security across three pillars: posture management, runtime security, and API security testing. Noname Security is privately held, remote-first with headquarters in Silicon Valley, California, and offices in Tel Aviv and Amsterdam.
200M Twitter Profiles, With Email Addys, Dumped on Dark Web for Free
A data dump of Twitter user details on an underground forum appears to stem from an API endpoint compromise and large-scale data scraping.
Public account details, including account name, handle, creation date, and follower count are all part of the 63GB worth of data uploaded to the Dark Web on Jan. 4, according to an investigation from Privacy Affairs. The cybercriminal responsible said the materials were collected via data scraping, which is a process of using automated scripts to lift public data from social media sites. However, the database also contains email addresses, the firm found — which aren't part of users' public profiles.
Six Cybersecurity Predictions As Organizations Plan For 2023
While it's overdue, 2023 could be the year that application programming interface (API) security sees more traction. VentureBeat notes that the growing number of APIs within and between corporate infrastructures has made API security one of the biggest challenges for CIOs today. Conversely, it also means that APIs are a growing target for cyberattackers. Consider promoting API security on your organization's security roadmap. Otherwise, it could be the Achilles' heel that provides attackers with unfettered access to your sensitive data.
One More Thing
I’m constantly amazed by the vast amount of high quality educational content you can find for free online. Below is one example of that, you can find a lot of these free courses via edx.org as well but this time around freecodecamp has published the full CS50 course (2021) from Harvard on their YouTube channel, the course is an introduction to the intellectual enterprises of computer science and the art of programming.
Harvard CS50 – Full Computer Science University Course
Disclaimer: The author of this newsletter is employed by Noname Security, but this is not an official Nonane Security publication, the newsletter is meant to provide independent API Security News. I encourage you to reach out with comments and/or suggestions for the newsletter via https://twitter.com/filipv (DM’s are open).