Threat actors continue to uncover gaps in API security. The desire to renew digital services and to combine them with other services opens up a broad target for malicious threat actors. In a world where development speed, innovation, and iteration often trump security concerns, APIs offer adversaries the ability to infiltrate services and steal sensitive data. And in 2021 there have been a lot of API attacks so far. Here are four of the biggest.
Parler API hack
Parler is a social networking platform that became popular in the United States under the Trump administration.
The hack might best be considered an act of. to be discribed Hacktivism– Security teams carried out a coordinated attack on a system for social or political reasons. In this case, the motivation seemed to be a desire to reveal the type of content users posted on the Parler platform in the run-up to the U.S. Capitol Siege.
Whatever the motivation, the method was surprisingly simple. Security researchers took advantage of an unprotected API call that had no limits. In practice, this meant the researchers could download any user data they wanted without Parler having a chance to report what happened. The other piece of the puzzle was that Parler sorted the post URLs sequentially, which made it easy to download millions of posts at a large scale.
Clubhouse is a social networking platform based on audio instead of text communication. These audio chat rooms can allow thousands of people to converse at the same time. The clubhouse app is relatively new– its first publication took place in April 2020.
Just 12 months after Clubhouse launched, it had a user base of over 10 million per week. And then the platform fell victim to a data breach. A popular hacking forum published a database of over 1.3 million user records with information such as names, account creation dates, and photo urls.
The particular security flaw in this case is that anyone can use the API to query all publicly available clubhouse user profile information. Interestingly, on Twitter, Clubhouse steadfastly defended itself against allegations of poor security practices. According to one company Tweet“The data mentioned is all public profile information from our app, which anyone can access via the app or our API.” The platform’s security policy prohibits unauthorized scraping of data, but the lack of anti-scraping measures is an API- Technical controls should enforce these policy rules.
In another great security story from 2021, hackers breached the data of over 700 million LinkedIn users and offered that data for sale on the dark web. LinkedIn is the world’s largest professional social networking platform, and the 700 million exposed users make up over 90% of the site’s user base.
The data stolen from this breach included names, phone numbers, and physical addresses. Such information can become incredibly valuable in the hands of adversaries who conduct phishing, smishing, and other social engineering campaigns.
The hackers behind this attack were able to download the data through LinkedIn’s API. The technical API flaws that made the LinkedIn attack possible remain unclear. What is clear, however, is that the platform did not pay enough attention to API security practices, which meant that threat actors could make unlimited data requests without being flagged or stopped.
According to Salt Security API security checklist, It’s important to “test your APIs for security, but know that you also need runtime protection to intercept changes that don’t go through the standard build process and abuse that testing tools can’t find.” You can’t find any fundamental bugs unless you test your APIs for security. These security tests should be integrated into DevOps cycles.
NoxPlayer is an Android emulator for PC and Mac devices. In early 2021, it was revealed that security researchers had uncovered an API hack that was distributing malware to a small number of NoxPlayer users. The unidentified threat actors compromised the company’s official API with a sophisticated technique that took advantage of insufficient validation of the API response.
Hackers have managed to infiltrate three different families of malware under the guise of software updates. Security researchers believe that these malware strains had surveillance-related capabilities. NoxPlayer owner BigNox has since fixed the API vulnerabilities that made this attack possible.
As long as security remains an afterthought in the development lifecycle, hackers will continue to successfully exploit API vulnerabilities. Organizations need to act fast with dedicated security strategies for APIs. In today’s fast-paced digital landscape, it’s all too common for businesses to prioritize innovation and delivery speed. While this can provide a competitive advantage in the short term, in the long term it is almost a guarantee that attackers will take advantage of a company’s lack of security.
APIs continue to open up more points of communication between apps and services, but at the same time offer more opportunities for hackers to exploit vulnerabilities. API security must be a priority if you want to protect your most sensitive information assets.