API Security Articles

The Latest API Security News, Vulnerabilities & Best Practices

APISecurity.io is a community website for all things related to API security. Our daily news and weekly API Security newsletter cover the latest breaches, vulnerabilities, standards, best practices, regulations, and technology.

API Security Encyclopedia provides details on possible security issues in API contracts and how to remediate them, and our tools help you evaluate how secure the APIs you are working on actually are.

Subscribe to the API Security newsletter

By clicking Subscribe you agree to our Data Policy

From the APISecurity.io Twitter

IETF #OAuth Working Group formally published standard proposal by Karsten Meyer zu Selhausen and @dfett42 on using the "iss" parameter for OAuth Authorization Responses to prevent Mix-Up Attacks: https://www.ietf.org/archive/id/draft-ietf-oauth-iss-auth-resp-00.html

Here's a much better coverage of the Parler API vulnerabilities and @donk_enby scripts that scraped the system. Basically, there was no account takeover. APIs to access public posts had no security, no rate-limiting, sequential IDs https://www.wired.com/story/parler-hack-data-public-posts-images-video/
by @a_greenberg / @WIRED

API Security weekly newsletter issue #116 is out. Main stories by @Pouyadarabi, @donk_enby, @_nikitastupin, @scuttleph1sh, @mattatkinson42 / @PortSwigger
https://apisecurity.io/issue-116-facebook-parler-api-vulnerabilities-clairvoyance/

clairvoyance by @_nikitastupin allows to discover #GraphQL schema even if retrospection is disabled: https://github.com/nikitastupin/clairvoyance

See the demo in the recording of his OWASP AppSec Israel talk: https://youtu.be/nPB8o0cSnvM?t=794

70 TB of Parler data scraped via insecure APIs. Looks like when removing Twilio dependency Parler accidentally enabled admin account takeover via password reset. Post IDs were sequential & could be enumerated. "Deleted" post were still available via APIs https://cybernews.com/news/70tb-of-parler-users-messages-videos-and-posts-leaked-by-security-researchers/

From the APISecurity.io Twitter

IETF #OAuth Working Group formally published standard proposal by Karsten Meyer zu Selhausen and @dfett42 on using the "iss" parameter for OAuth Authorization Responses to prevent Mix-Up Attacks: https://www.ietf.org/archive/id/draft-ietf-oauth-iss-auth-resp-00.html

Here's a much better coverage of the Parler API vulnerabilities and @donk_enby scripts that scraped the system. Basically, there was no account takeover. APIs to access public posts had no security, no rate-limiting, sequential IDs https://www.wired.com/story/parler-hack-data-public-posts-images-video/
by @a_greenberg / @WIRED

API Security weekly newsletter issue #116 is out. Main stories by @Pouyadarabi, @donk_enby, @_nikitastupin, @scuttleph1sh, @mattatkinson42 / @PortSwigger
https://apisecurity.io/issue-116-facebook-parler-api-vulnerabilities-clairvoyance/

clairvoyance by @_nikitastupin allows to discover #GraphQL schema even if retrospection is disabled: https://github.com/nikitastupin/clairvoyance

See the demo in the recording of his OWASP AppSec Israel talk: https://youtu.be/nPB8o0cSnvM?t=794

70 TB of Parler data scraped via insecure APIs. Looks like when removing Twilio dependency Parler accidentally enabled admin account takeover via password reset. Post IDs were sequential & could be enumerated. "Deleted" post were still available via APIs https://cybernews.com/news/70tb-of-parler-users-messages-videos-and-posts-leaked-by-security-researchers/