API Security Articles

The Latest API Security News, Vulnerabilities & Best Practices

APISecurity.io is a community website for all things related to API security. Our daily news and weekly API Security newsletter cover the latest breaches, vulnerabilities, standards, best practices, regulations, and technology.

API Security Encyclopedia provides details on possible security issues in API contracts and how to remediate them, and our tools help you evaluate how secure the APIs you are working on actually are.

Subscribe to the API Security newsletter

By clicking Subscribe you agree to our Data Policy

From the APISecurity.io Twitter

"API Security in a Kubernetes World" by @DSotnikov at @devweeknyc 2020 is going to stream at 10:30 am PST / 1:30 pm EST December 9. Learn about specifics of securing REST APIs exposed by your K8S microservices. There are still some free passes available:
https://bit.ly/38wV0h6

Twitter Fleets are ephemeral media posts that are supposed to disappear after 24 hours. However, @donk_enby found that the APIs behind the feature allow access to older fleets and that API access does not trigger read notifications.

Tesla Backup Gateway APIs are undocumented but can be discovered & have been documented by community. The APIs have been poorly protected by default: the default password can be obtained from images & partially from Wi-Fi SSID.
https://blog.rapid7.com/2020/11/17/dont-put-it-on-the-internet-tesla-backup-gateway-edition/ via @dabdine / @rapid7 blog

22 APIs across 16 different AWS services can be exploited to leak IAM users & roles. API calls to create resource based policies tell if the principal exists. These attempts are not logged, thus attack goes undetected. See report by @Unit42_Intel:
https://unit42.paloaltonetworks.com/aws-resource-based-policy-apis/

API Security weekly newsletter #110 is out. Main stories by @sandycarielli / @forrester,
@vibronet, @isamauny / @OpenApiSpec, Sanjana Sarda /
@isesecurity, Pellaeon Lin, Jeffrey Knockel, @adamsenft, @irenepoet, Stephanie Tran, @RonDeibert / @citizenlab
https://apisecurity.io/issue-110-api-flaws-bumble-covid-kaya-forrester-api-security-asc-2020-talks/

From the APISecurity.io Twitter

"API Security in a Kubernetes World" by @DSotnikov at @devweeknyc 2020 is going to stream at 10:30 am PST / 1:30 pm EST December 9. Learn about specifics of securing REST APIs exposed by your K8S microservices. There are still some free passes available:
https://bit.ly/38wV0h6

Twitter Fleets are ephemeral media posts that are supposed to disappear after 24 hours. However, @donk_enby found that the APIs behind the feature allow access to older fleets and that API access does not trigger read notifications.

Tesla Backup Gateway APIs are undocumented but can be discovered & have been documented by community. The APIs have been poorly protected by default: the default password can be obtained from images & partially from Wi-Fi SSID.
https://blog.rapid7.com/2020/11/17/dont-put-it-on-the-internet-tesla-backup-gateway-edition/ via @dabdine / @rapid7 blog

22 APIs across 16 different AWS services can be exploited to leak IAM users & roles. API calls to create resource based policies tell if the principal exists. These attempts are not logged, thus attack goes undetected. See report by @Unit42_Intel:
https://unit42.paloaltonetworks.com/aws-resource-based-policy-apis/

API Security weekly newsletter #110 is out. Main stories by @sandycarielli / @forrester,
@vibronet, @isamauny / @OpenApiSpec, Sanjana Sarda /
@isesecurity, Pellaeon Lin, Jeffrey Knockel, @adamsenft, @irenepoet, Stephanie Tran, @RonDeibert / @citizenlab
https://apisecurity.io/issue-110-api-flaws-bumble-covid-kaya-forrester-api-security-asc-2020-talks/