With more than 80% of internet traffic going through APIs, it’s not surprising that hackers often try to find ways to exploit the security implications of APIs.
2021 was the year of terrible internet breaches and data leaks as there were various types of API abuse including reverse engineering, unsecured databases, session hacking, etc.
Let’s look at the top 5 API security Breaches and data leaks in 2021 that exposed millions of people’s personal information online.
What happened to Linkedin?
Microsoft-owned LinkedIn has always been an invaluable target for cybercriminals. A threat actor dubbed “God User” was able to do the impossible in June 2021 when it scraped the data through LinkedIn APIs and sold information from 700 million LinkedIn users (more than 90% of all LinkedIn profiles). a published dark web forum called RaidForums.
Image source: inputmag
Impact: The leaked personal data fiasco was seen in the form of a sample of 1 million profile usernames and URLs, contact numbers, gender, derived salaries, email addresses, social media account information, and so on.
How did it happen?
The hacker explained that he had access to data because he queried LinkedIn’s servers. Users have uploaded the information they accessed to LinkedIn. However, LinkedIn APIs are not intended and cannot be used as a login mechanism. This means they cannot be
used without prior authentication, making the attack post-login in nature.
Tips to avoid: Risk-based protection for applications and APIs is crucial to identify endpoints, their exposure to risk and vulnerabilities.
WAAP (Web Application & API Protection) platforms like AppTrana use signature detection, security-focused auditing and encryption as standard (TLS), and other security methods to block attempts at API abuse.
In January 2021, a highly targeted cyber attack targeting specific computers on NoxPlayer, the most popular Android game emulator with over 150 million users for Windows and macOS, was detected across Asia.
Image source: welivesecurity
Impact: Five NoxPlayer users in Taiwan, Hong Kong and Sri Lanka who downloaded the update posing as a media player called NoxPlayer were infected with malware.
Because: Hackers gained access to exploits of the official API of NoxPlayer (api.bignox.com) and file hosting server (res06.bignox.com), and then it became child’s play for the perpetrators to get the download URL of the software update change to send malware to android emulator victims in asian region.
Tips to avoid: Make your web application more secure and avoid cyber hacks, malicious code and unauthorized access by performing bulk scanning of your website/app.
3: Bykea data breach
Bykea, Pakistan’s rental vehicle and on-demand delivery app, suffered a security breach of highly sensitive data related to customer and driver personally identifiable information (PII), internal employee credentials and production server information, and potentially lost its API logs.
impact: Over 400 million records containing more than 200 gigabytes of data were exposed for weeks. The database server contained complete travel information that could be freely consulted by anyone. This included where customers were picked up and dropped off and what time drivers would arrive during their trips.
Image Source: Security Detectives
The use of business email addresses for public correspondence with users could be potential game changers that could serve as a gateway for hackers who can use and obfuscate user data in some form to gain advantage.
Because: The exposed Elastic Server instance was without password protection or encryption.
tips to avoid: The server should be encrypted at rest and in transit. With the massive rise in cyberattacks, it’s like sending hackers an open invitation to expose a database server to the open internet without basic encryption or authentication hygiene.
Deploy security solutions that not only cover vulnerability assessments, security audits and penetration tests, but also manage the security of your entire system.
4: The Central Bank of Russia’s money robbery
What happened to the Central Bank of Russia? API security breach?
According to bank officials, criminals could attack the bank’s operations by hacking into its interbank electronic money transfer system. The threat actors were able to transfer funds from customer accounts using Fast Payment System (FPS).
impact: The “money transfer” attack appears to have been used to steal money from individuals, but no businesses were victimized.
How did it happen? A glorified case of broken object-level authorization, attackers exploited enumerations to find a list of user accounts in the bank thanks to an API endpoint.
The hackers replaced the “Account ID” parameter with any account number. The theft of money was allowed to continue, giving the unconfirmed appearance that it was this account that requested the money to be transferred and not the actual original account.
Tips to avoid: Restriction and full control over URL parameters must be synchronized with unique tokens. By protecting your cloud infrastructure from modern cyberattacks, you can effectively prevent applications from being compromised.
5: Parler API Violation
An API vulnerability allowed a white hat hacker, donk_enby, to exploit a vulnerability in the Parler social media app. As a result, she was able to download archived public posts containing user data (including registration identifiers, emails, and timestamps for login activity) just before Amazon Web Services, Google, and Apple terminated the Parler account and wiped it from the internet.
Image source: Saltsecurity
Impact: 70 terabytes of data was stolen from the Parler social network by cybercriminals collecting information through insecure APIs. “Archived” data included deleted and private posts, videos, images, driver’s licenses, geolocation, type of cell phones and ID cards, etc.
How did it happen? A case in point for reverse engineering Parler’s iOS API; The hacker used Ghidra software to examine and analyze Parler’s code to find public information. Interestingly, the social media app used sequential numbering for post URLs, known as an insecure direct object reference, which was an easy choice for the white-hat hacker to break the guessable pattern with API access to all post URLs without understanding authentication.
Example: https://yourapp(dot)folder/v1/photo?id= . Add 1 and you would end up with the sequence of post urls.
In the case of Parler, one could guess the chronological order of the social media post URL (which is an ideal world that should be hidden and inaccessible) by simply adding an incremented value of one.
tips to avoid: In an ideal world, URLs should be hidden and inaccessible, with restrictions on public API calls. AppTrana mitigates such attacks through its innovative positive security model and behavior-based DDoS policies.
The year 2022 thrives on the concept of effective security awareness, strengthening API security best practices paves the way for successful cyber security systems.
and Industrial WAF will leave no stone unturned to keep your business safe and healthy online.