Newsletter Archive

Vulnerabilities Another API vulnerability has been found in Google+ (we reported on the previous one in our first newsletter back in October). Turns out that an update that Google rolled out in November put user data at risk because permissions were not properly enforced. The API could provide ac...

Vulnerabilities If you are using Kubernetes, you should install a patch for it as soon as possible. There is a huge privilege escalation vulnerability that got fixed this week. The flaw allows attackers to contact Kubernetes API server using a non-privileged account and then get high-privilege op...

Vulnerabilities United States Postal Service (USPS) just fixed an API vulnerability. The vulnerability seems to have been a combination of: Developers not expecting outsiders to bypass the web page and use the API directly Insecure Direct Object Reference (IDOR), authenticating as one user and getti...

Vulnerabilities This is as ugly as it gets: MiSafes kids’ watches allow accessing very specific information on a child, such as photo, gender, age, height, location, and even provide a remote microphone access. API calls are not secured by TLS and are open to Insecure Direct Object Reference ...

Vulnerabilities An API vulnerability was found in the license generation API of Valve’s Steam gaming service and marketplace. Anyone who had registered at their partner portal for developers could call their /partnercdkeys/assignkeys/ with unexpected parameter values (for example, a random ...

Vulnerabilities Do not use TLS client authentication, unless you are already on TLS 1.3. With TLS 1.2 and earlier, when you use client authentication, the client certificate is transmitted in the clear. This contains enough information to uniquely identify the user. Hundreds of thousands of project...

Vulnerabilities Remini, a mobile app that schools use to communicate with parents, had kids’ profiles including pictures, email addresses, phone numbers, and milestones accidentally publicly exposed through an API. No authentication was required, because developers assumed that only their mob...

Vulnerabilities The Shopify vulnerability happened (and was fixed) back in May 2018. This week, Arif Khan goes into the details of the vulnerability and the lessons that we can learn from it for microservices and API security in general. In a nutshell, microservices themselves and the underlying clo...