API Security Breaches – Lessons learned
In the digital age, APIs (Application Programming Interfaces) have become the backbone of modern application architecture, enabling seamless integration and communication between various software applications. The increasing reliance on APIs has also opened up new avenues for cyber threats: recent API security breaches have underscored the importance of robust security measures, including the discovery and management of rogue APIs.
The Rising Threat of API Security Breaches
APIs are a prime target for cybercriminals due to the sensitive nature of the data they handle. Recent breaches have demonstrated the devastating consequences of inadequate API security, including data leaks, financial loss, and damage to brand reputation.
- Facebook: In 2018, Facebook suffered a significant breach where attackers exploited a vulnerability in Facebook’s “View As” feature, which was related to Facebook’s API. The breach affected 30 million users, whose access tokens were stolen. This incident highlighted the importance of regularly auditing and testing APIs for vulnerabilities.
- Twitter: The 2013 exploitation of Twitter’s API, lead to the unauthorized access of approximately 250,000 user accounts. The attackers were able to access user information, including usernames, email addresses, and encrypted/salted versions of passwords. This breach underscored the importance of securing APIs, even when they are not directly exposed to end-users.
- Strava: In 2018, the fitness tracking app Strava unintentionally exposed sensitive information about military bases and patrol routes through the data shared via its API. The users of the Strava app were military personnel and subject to an elevated security risk as a result. This incident highlighted both the potential risks and the importance of considering privacy when designing APIs.
- Panera Bread: In 2018, Panera Bread’s website had an unauthenticated endpoint (API) that leaked millions of customer records, including names, email addresses, physical addresses and birthdays, as well as the last four digits of customer credit card numbers. This breach emphasized the importance of properly securing APIs and ensuring that sensitive data is not unnecessarily exposed.
- Zendesk: A GraphQL endpoint on their popular help desk ticketing platform was vulnerable to SQL injections. This specific vulnerability could be exploited to reveal sensitive user data. While it was active, the software flaw allowed attackers to access customer conversations, email addresses, ticket numbers and comments.
These incidents highlight two critical aspects of preventing API security breaches: the need for robust API security measures, and the importance of discovering and managing rogue APIs.
The Importance of Rogue API Discovery and Protection
Rogue APIs are developed and deployed without the proper oversight of the IT or security team. They often do not adhere to the organization’s security policies and can provide a backdoor for attackers.
The discovery and management of rogue APIs are crucial for maintaining a secure API environment. Automated discovery tools can scan the network for API traffic, identifying any that are not listed in the organization’s API directory and flagging them for further investigation.
Once a rogue API is discovered, it needs to be evaluated to determine if it can be brought into compliance with the organization’s security policies; if it can’t, it needs to be decommissioned. In either case, the existence of rogue APIs should trigger a review of the organization’s overall development and deployment practices to prevent similar occurrences in the future.
Bringing APIs into Compliance
Bringing an API into compliance involves ensuring it adheres to the organization’s security policies. This may involve implementing proper authentication and authorization mechanisms, encrypting data both in transit and at rest, validating all API requests, and setting up regular audits and monitoring.
Regulators are emphasizing security compliance as well. In fact, the US Consumer Financial Protection Bureau (CFPB) recently announced a rule that requires financial institutions to take actions to secure their APIs, including specifics such as ensuring that consumer and developer interfaces remain separate.
Bringing rogue APIs into compliance may also involve integrating them into the organization’s API management platform. This ensures they are subject to the same security measures, monitoring, and governance as other APIs.
Lessons Learned
Recent API security breaches have underscored the importance of robust API security measures. They have highlighted the need for a comprehensive approach to API security, including the importance of bringing all APIs into compliance with the organization’s security policies.
These incidents serve as a reminder that API security is not a one-time effort but an ongoing process. It requires continuous monitoring, regular audits, and proactive measures to discover and manage rogue APIs. By learning from these incidents and implementing robust security measures, organizations can protect their sensitive data and maintain the trust of their users.
Get an Attacker’s View into Your Organization
Sign up for the latest Cequence Security news
By clicking Subscribe, I agree to the use of my personal data in accordance with Cequence Security Privacy Policy. Cequence Security will not sell, trade, lease, or rent your personal data to third parties.