The API Security Newsletter - Issue 22
Hi Everyone! Welcome to this 22nd edition of The API Security Newsletter, as always I welcome any feedback via Twitter DM (https://twitter.com/filipv)
Google Discovers Severe Over-Confidence in API Security Solutions
APIs have undergone immense leaps in capability and ubiquity over the last decade. As 2023 unfolds, however, the danger presented by the now fully-fledged API industry cannot be understated. And yet, Google’s recent study on cloud API security displays a few worrying trends the worst of which may be the persistent overestimation of how well preexisting API security solutions are performing.
AWS CloudTrail vulnerability: Undocumented API allows CloudTrail bypass
AWS administrators depend on CloudTrail to monitor API activity within their accounts. By logging API usage, CloudTrail enables teams to detect suspicious activity in AWS environments, catch attacks quickly, and better understand what happened following security incidents. The Datadog Security Research Team identified a method to bypass CloudTrail logging for specific IAM API requests via undocumented APIs. This technique would allow an adversary to perform reconnaissance activities in the IAM service after gaining a foothold in an AWS account—without leaving any trace of their actions in CloudTrail.
T-Mobile data breach shows API security can’t be ignored
Enterprise security isn’t easy. Small oversights around systems and vulnerabilities can result in data breaches that impact millions of users. Unfortunately, one of the most common oversights is in the realm of APIs. With cloud adoption increasing dramatically over the past few years, analysts have long warned enterprises that a tidal wave of API exploitation has been brewing. Back in 2021, Gartner predicted that in 2023, API abuse would move from infrequent to the most frequent attack vector.
50% of orgs report experiencing data breaches due to exposed API secrets
API vulnerabilities are a serious issue that can’t be overlooked. Just one API vulnerability led to the breach of 5.4 million Twitter users’ data, and cybercriminals are well aware that all they need to gain access to an organization’s personally identifiable information (PII) is to harvest the right secrets.
In January 2021, Nissan North America experienced a similar incident, leaving a Git server exposed online with default access credentials, resulting in several repositories of the firm becoming public. This incident led to the leak of 20 GB of data, including mobile apps and internal tools source code, market research and client acquisition data, diagnostics, and NissanConnect services details. Also, Nissan, and other car companies, were shown to follow poor API security practices on their mobile apps and online portals, potentially leading to account takeovers and sensitive information exposure.
Alleged FBI Database Breach Exposes Agents and InfraGard
The InfraGard website has an API built into several key components allowing members to communicate with each other. This made the user data easily accessible through the API. After the FBI approved their imposter InfraGard membership, USDoD commissioned a friend to write a Python script to retrieve all available user data from the API.
ODIN took SweepWizard offline after being notified, and it remains unavailable for download on the major app stores at this time. However, the company’s only statements to the media thus far have indicated that it cannot replicate the “alleged security compromise” but continues to investigate. WIRED said that the vulnerability was a failure to secure API endpoints, allowing anyone who knows (or hits upon) the correct URL to access private data via a web browser.
One more thing…
Join David Jamieson as he explores his work in quantum technology and looks at how we plan to build the first quantum machines.
Einstein's most revolutionary idea, the light quantum, led to the concept for a radical new type of computer. This computer would use the strange rules of quantum mechanics to process information encoded in quantum bits, otherwise known as qubits. In this talk you will find out more about how these large-scale devices may be able to solve important problems that cannot be solved by classical machines. And about some of the formidable scientific and technical obstacles that would need to be overcome, through the use of unprecendented precision to manipulate and interrogate single atoms.
Disclaimer: The author of this newsletter is employed by Noname Security, but this is not an official Nonane Security publication, the newsletter is meant to provide independent API Security News. I encourage you to reach out with comments and/or suggestions for the newsletter via https://twitter.com/filipv (DM’s are open).