This week, we have news of a high severity remote code execution (RCE) vulnerability in the F5 BIG-IP security suite. We also feature an article from Curity on API security maturity, an article on hardening Google Cloud Platform implementations, and finally a threat matrix for GraphQL APIs. Vulnerability: RCE vulnerability in F5’s BIG-IP security suite […]
This week, we have two API vulnerabilities: the first in the VeryFitPro app allowed attackers access to a backend API, while in the other LemonDuck botnet attacked exposed Docker APIs. On more positive side, we also have a new version of TruffleHog detecting of stored API credentials, as well as views on how to securely […]
This week, we have details of an API vulnerability in the Drupal platform, allowing an attacker to bypass access controls. We also feature views from Google Cloud on challenges to API security, a comprehensive guide to OAuth2, and finally a write up on how GitHub deviates from the implementation guidelines for OAuth2. Vulnerability: Drupal patches […]
APIs are increasingly the number one attack vector for adversaries due to their growing abundance and ease of attack via automated scripts and tools. Most public APIs are under constant attack by skilled human adversaries and growing legions of bots. Well-designed, secure APIs are critical to mitigating the risk of attack, but it is essential […]
This week, we have two API vulnerabilities: a command injection vulnerability in the control API of the Wavlink WL-WN531P3 router, and another one on the website of a security regulator in South Africa. In addition, we have views on the management of internal and external APIs, and how the new Lambda Function URLs on AWS […]
This week, we have news of an API vulnerability in the scheduling platform Easy!Appointments allowing unauthorized access. We also have articles on whether the growth in APIs compromises security, how API traffic visibility is a key for API security, and some basic tips on locking down APIs to improve security. Vulnerability: API access control vulnerability […]
This week, we have two new vulnerabilities: firstly, the big news in the Spring4Shell zero-day vulnerability in the Spring Framework coming hot on the heels of the recent Log4Shell vulnerability, and secondly, a vulnerability in the CRI-O container runtime that allowed host access to attackers. We also feature a guide to REST API security and […]
This week, we have articles covering six critical areas for cloud-native security in 2022, including of course API security. In addition there’s a beginner’s guide to API governance, thoughts on how to improve API security by embracing DevOps, and views on three ways to lock down APIs. Article: Six critical areas for cloud-native security in […]
This week, we have news of two critical vulnerabilities patched in the Veeam data backup solution, a remote code execution (RCE) vulnerability in the popular Parse Server API server module, views on how insecure APIs threaten mobile application security, and how attackers are increasingly focusing on APIs as the attack vector of choice. Vulnerability: Two […]
March 24, 2022 – 11am EST / 4pm GMT In this third and final episode in the webinar series, Dr Philippe De Ryck, Web Security Expert with Pragmatic Web Security and Colin Domoney of 42Crunch and APISecurity.io. address one-by-one, the remaining 5 OWASP API Challenges: Issue 4: Lack of resources & rate […]
This week, we have an excellent write-up on a case study of API vulnerabilities, an API vulnerability in Riverbed’s SteelCentral AppInternals software, an article on how even the most “perfect” APIs can be abused, and a guide on the safer handling of JSON web tokens (JWTs). Vulnerability: A case study of API vulnerabilities This week, […]
This week, we have three vulnerabilities: the first in the Cisco Expressway Series and TelePresence video communications service, another vulnerability in self-managed GitLab instances, and a bug affecting a campus access control system. On top of this, we also have views on privacy concerns for APIs. Vulnerability: Patches for critical issues in Cisco video communications […]
APIs are mobile app developer’s best friends as they help reduce development time and save costs. But the rapid deployment of mobile apps and the explosion in the development of new APIs present very real threats for most organizations. To defend your APIs, it is important to have a comprehensive approach to API security from […]
This week, we have new research in APIs that reveals how they are increasingly used for account takeover, a look at a great new book on hacking APIs, an article on using Postman for OAuth 2.0 authorization code grants, and a guide on documenting APIs. Article: APIs increasingly used for account takeover New research covered […]
This week, we have news of the eye-opening vulnerability on the Coinbase platform which netted $250,000 in bug bounty. There’s also an excellent guide on best practices for authentication and authorization for REST APIs, an article on the growth of bad bots and how to mitigate against them, and a fun read from APIHandyman on […]
This week, we have news of a vulnerability in Argo CD that allowed leaking application secrets, a survey of the state of API security across three regions, a quick read on how to use Postman and OWASP Zap for API security testing, and finally views on how to distribute authorization services in a microservice architecture. […]
This week, we have news of multiple API flaws and vulnerabilities: the parcel tracking portal at DPD that may have exposed customer data; an API vulnerability in the Apache Pulsar that allowed access data in different tenants; and an SQL injection vulnerability in Casdoor API. On the more positive side, we take a look at […]
This week, we have an article on applying a DevSecOps approach to API security, by utilizing a shift-left and protect and monitor right approach; a pair of vulnerabilities patched by F5; views on the top 10 API integration trends by Brenton House: and finally, a view on the rise of bot attacks against APIs. Article: […]
This week, we have details of a vulnerability in the popular WordPress plugin, WP HTML Mail, which potentially exposed 20,000 WordPress sites, and a vulnerability in TeslaMate software exposing dozens of Teslas to remote access. On more positive news, we have an introduction to vAPI, an open-source laboratory for learning API security, and an article […]
In this 3-part webinar series Dr. Philippe De Ryck, Web Security Expert with Pragmatic Web Security and Colin Domoney of 42Crunch and APISecurity.io, take a deep dive into understanding and addressing the OWASP API Security Top 10 issues. Through detailed practical examples and use cases, they guide developers and security professionals through how to fix […]
This week, we have news of a vulnerability in the IndexedDB API in Safari 15 that exposed user information, a pair of vulnerabilities in AWS affecting AWS Glue and AWS CloudFormation, and a podcast featuring Rinki Sethi and Alissa Knight discussing API security. Last week, we featured an “awesome API security” guide from a 3rd-party […]
This week, we have a long-standing vulnerability on a public-facing internal API on Uber, which allowed attackers to spoof emails. In addition, there’s an article by NordicAPIs on the RapidAPI report into the rise on partner-facing APIs, IBM’s views on the API security risk posed by the growth in omnichannel APIs, and finally (another) awesome […]
This week, we have a comprehensive article on approaches to securing large API ecosystems, an interesting read on how to create OpenAPI definitions from HTTP traffic, how “Frankenstein APIs” are exposing businesses to additional risk, and why the continued API proliferation presents security challenges to organizations. Article: Securing large API ecosystems First up this week […]
This week, we have news of another high severity vulnerability in a WordPress plugin, this time the popular All in One allowing compromise via the core REST API. We also have views from @apihandyman on why to treat all APIs as public ones, a comprehensive beginner’s guide to API security, and finally an optimistic view […]
This week, we have news on the Log4Shell vulnerability affecting applications and infrastructure using the ubiquitous Log4j library. In addition, there’s an article on how API sprawl is becoming a threat to the digital economy, a guide on API security design best practices, and views on the benefits of zero trust approach for API security. […]
This week, we have an article on seven reasons why API security strategies are failing, details on the recent keynote by Werner Vogels at AWS re:Invent on six rules for good API design, an article by Cisco on API discovery, and a review of some of the biggest API security attacks in 2021. Article: Seven […]
This week, we have details of compromised Google Cloud accounts being used to mine cryptocurrency (mainly with weak or no passwords on API connections), there’s an article on how GraphQL can be used as an API gateway (including security controls), a very comprehensive guide to all things relating to API security, and a new API […]
Thursday December 9th, 2021 | 8am PDT / 11am EST / 4pm GMT Join Colin Domoney as he demonstrates how DevSecOps teams now automate and scale the protection of your APIs by generating “security as code” into a CI/CD pipeline. More information […]
This week, we have details of a vulnerability in the AI platform Wipro Holmes Orchestrator, allowing the download of arbitrary files via path manipulation. There’s also a new report from researcher Alissa Knight on vulnerabilities in banking, cryptocurrency exchange, and FinTech APIs; an article on the impact of a shift-left approach for API security; and […]
This week, we have a vulnerability in the AWS API gateway that allows a potential cache-poisoning attack, disclosed at the recent BlackHat Europe conference, a guide on how to harden Kubernetes API access, a report from Forbes on the need to take API security more seriously, and predictions on what’s possibly on the next OWASP […]
This week, we have news of a high criticality vulnerability on GoCD, a common open-source CI/CD system, allowing attackers to hijack secrets of downstream supply chains. There is also an excellent article on the journey of Raiffeisen Bank International toward full lifecycle API security, another article on how API security is hindering application delivery, and […]
This week, we have news on a breach affecting 400 000 users of a popular German school app, and another vulnerability in a popular WordPress plugin. In addition, there’s a thought-provoking opinion piece on the value of GraphQL on public interfaces, and an article featuring nine useful API testing tools. Breach: Sensitive data of 400 […]
This week, we have details of a potential vulnerability in existing Prometheus installations with no endpoint security enabled, details of a new tool to assist organizations map their API attack surface, a report on the analysis of publicly available OpenAPI definition files in the public domain, and news on upcoming API security awareness and training […]
This week, we have a vulnerability report from Alissa Knight on Fast Healthcare Interoperability and Resources (FHIR) APIs being potentially vulnerable to abuse, and more details on how the breach at MakerBot’s Thingiverse 3D printing repository website could lead to hijacking users’ 3D printers. In addition, there’s an article summing up the increasing numbers of […]
This week, we have a vulnerability in the BrewDog mobile app exposing users’ PII courtesy of hard-coded bearer tokens, Cisco has announced the arrival of their APIClarity at KubeCon 2021, F5 has published a report on API attacks in Open Banking, and finally, there’s a mega-guide on API security best practices. Vulnerability: Hard-coded API bearer […]
This week, we have a viewpoint on what security officers can do to address API security. There’s also a report from IBM revealing that two-thirds of cloud breaches are due to misconfigured APIs, the best practices for detecting malicious activity on API endpoints, and a description of common attack vectors on GraphQL implementations. Correction: In […]
This week, we have an article on how API proliferation is opening up security holes, another vulnerability in WordPress REST API , again through a third-party plugin. In addition, we look into the importance of false-negative API vulnerability scanning, and API protection as a key element of a cloud security strategy. Article: Rapid proliferation of […]
This week, we have a breach involving exposed API keys for payment integration, leaked API tokens on Travis CI, the shortcomings of static and dynamic application security testing (SAST/DAST) for API security, and the value that API specification frameworks bring. Breach: Exposed payment integration API keys The big news story this week was the leakage […]
This week, we have details on the security patch in WordPress 5.8.1 fixing an issue on the REST API, a report on the rise of botnet attacks on APIs, an article on everything you need to know about API tokens, and thoughts on API discovery. Vulnerability: Security patch to REST API in WordPress 5.8.1 Last […]
This week, we have recent vulnerabilities in the Fortress home security system that allowed an attacker to remotely disable the system, a guide on API fuzzing techniques and tools, best practice for hardening GraphQL implementations, and views on central governance for APIs. Vulnerability: Fortress home security vulnerability allows remote disarming This week, Rapid7 disclosed two […]
This week, we have vulnerabilities on Cisco routers allowing device takeover, a vulnerability on the Bumble app disclosing user’s location, a view on adopting Zero Trust for APIs, and a hacker’s view on API security challenges. Vulnerability: Cisco releases critical patches Cisco Systems has released a total of six security patches for API vulnerabilities this […]
This week, we have Microsoft Power Apps demonstrating the dangers of lax default settings for data exposure, yet another Broken Object Level Authorization (BOLA/IDOR) vulnerability on the Topcoder portal, the newly release RFC 9101, and a guide to hacking APIs. Breach: Microsoft Power Apps records leaked via OData API The big news this week is […]
This week, we have the recent API vulnerabilities in the SEOPress WordPress plugin and the Valve Software Steam portal, the results from a Dark Reading survey into application security, and details of the upcoming OpenAPI Initiative’s (OAI) API Specifications Conference. Vulnerability: XSS and REST API vulnerability in SEOPress On July 29, 2021, the Wordfence Threat […]
This week, we have the recent API fix involving group membership at Facebook, a case study of a BOLA vulnerability leaking users’ credit coupons, a handy add-on for Burp Suite, plus an interview with a security expert on API security. Vulnerability: Facebook Facebook API was leaking information on users’ memberships in private groups. Muhammad Sholikhin […]
This week, we take a look at the recently discovered (and fixed) API vulnerabilities in electric car charging stations, a Udemy course on OAuth 2.0, the recently released Gartner Hype Cycle on APIs, and how APIs in microservices architectures can be exploited if they construct backend calls without properly validating inputs. Vulnerability: Electric vehicle charging […]
This week, JustDial has had to re-fix an old API vulnerability that they already fixed in 2019. We also have a set of scripts for automated API key validation, and two videos from recent conferences on the OAuth roadmap and GraphQL security. Vulnerability: JustDial JustDial had a regression as they accidentally reintroduced the API vulnerability […]
This week, we have a detailed write-up on finding credit card numbers leaking from a GraphQL API, a lab walkthrough on hacking JSON web tokens (JWT) through SQL injection, and HackerOne’s new Capture The Flag (CFT) API Security challenge. On the resource side, we have another good mind map, this time on XML attack vectors […]
This week, we take a look at the recently reported API vulnerabilities at Coursera and in one of the Huawei home gateways. We also learn about rate-limiting for GraphQL APIs and GraphQL discovery using its autocorrect feature. Vulnerability: Coursera Coursera has fixed a number of API vulnerabilities reported by David Sopas, Paulo Silva, Ricardo Gonçalves, […]
This week, we take a look at insecure API traffic in the VeryFitPro Android app, how APIs were used to scrape user profile data from Gettr, and some potential API vulnerabilities affecting AWS API Gateway and Lambda authorizers users. In addition, there is also the latest update to the AsyncAPI standard. Vulnerability: VeryFitPro Researchers from […]
This week, we take a look at the recent API vulnerabilities reported at LazyPay, API attacks on Western Digital My Book Live NAS systems, and LinkedIn profiles getting scraped. We also have a new detailed mind map for broken object-level authorization (BOLA/IDOR) vulnerabilities. Vulnerability: LazyPay LazyPay is a pay-later platform that has over 2 million […]
This week, we take a look at the recent API vulnerabilities at Apple, Amazon, and the volunteer coordination app of the Philippine opposition coalition, and there is an upcoming API security webinar by Gartner. Vulnerability: Apple iCloud account takeover Laxman Muthiyah was able to demonstrate how he could brute-force his way into taking over someone […]
This week, we check out the recent vulnerabilities in Microsoft Teams and Instagram, the awesome-apisecurity repo in GitHub, and the upcoming DevSecCon24 conference. Vulnerability: Microsoft Teams Evan Grant found a way to break into Microsoft Teams accounts by leveraging Microsoft Power Apps. Microsoft Power Apps and Power Automate services are meant to provide easy tools […]
This week, we take a look at the recent API vulnerabilities in VMware vCenter and Apache Pulsar, how GraphQL implementations may be vulnerable to cross-site request forgery (CSRF) attacks, an upcoming webinar on API Security and Postman, a DZone webinar with this newsletter’s author next week, and a video on how the API security vendor […]
This week, we check out how API attacks can be used to squash political dissent, a handy OAuth 2.0 security checklist as well as some common OAuth vulnerabilities and the ways to detect and mitigate them, and a case study of API penetration testing. Vulnerability: Russian opposition email list breach Companies typically avoid providing details […]
This week, we take a look at how cybercriminals exploit leaked API keys to steal millions of dollars from cryptoexchanges. In addition, we also have the recent API vulnerabilities in Rocket.Chat, the upcoming change in Let’s Encrypt root certificate and its impact on APIs, and another video on common GraphQL API vulnerabilities. Vulnerability: API keys […]
This week, we have three API vulnerabilities: in Echelon sports equipment, Instagram, and Facebook Workspace, as well as an interview with Forrester’s key API security expert, Sandy Carielli. Vulnerability: Echelon In our previous newsletter, we discussed API vulnerabilities at Peloton. This week, the same researcher, Jan Masters from Pen Test Partners, has published his research […]
This week, we take a look at the API vulnerabilities discovered at Peloton, how India is locking down the APIs for their COVID vaccination portal, how API contracts can be generated from .NET code, and what API security sessions the upcoming RSA Conference (RSAC) offers. Vulnerability: Peloton Peloton is a producer of popular treadmills and […]
This week, we take a look at the recent API vulnerabilities at Experian, Facebook, and possibly DigitalOcean and Geico. There is also a review of Burp plugins for API vulnerability discovery, and a new API security penetration testing lab. Vulnerability: Experian Bill Demirkapi found an unprotected Experian API that returned a credit score based simply […]
This week, we check out the recent API vulnerability in John Deere farming machinery, the best practices in using Springfox annotations for API security, a new JWT penetration testing lab, and AutoGraphQL – a tool for GraphQL authorization testing. Vulnerability: John Deere John Deere is one of the leading manufacturers of expensive farming equipment, such […]
It’s a rare week with no high-profile API breaches in the news, so we can actually take our time to focus on the positives, like the best practices around API tokens and new tools for API reconnaissance and penetration testing. Best practices: API token format API keys can be or look like pretty much anything. […]
This week, we obviously have to discuss the hundreds of millions of Facebook and Clubhouse user profiles that were scraped using APIs. In other news, Forrester has published their fresh and insightful report “The State of Application Security”, and there’s a new online training “Building an Identity Architecture for APIs”. Data leak: Facebook The biggest […]
This week, we check out the recent API vulnerabilities at VMware and GitLab, how URL parameters can lead to server-side request forgery (SSRF) vulnerabilities, and the upcoming webinar on some of the recent real-life API security flaws. Vulnerability: VMware vRealize Operations API VMware has just patched two critical security issues in their vRealize Operations API. […]
This week, we look at an API vulnerability in Micro Focus Operation Bridge Reporter, new research on 3 hidden attack vectors in OAuth and OpenID Connect, a methodology for finding BOLA/IDOR, and research on OpenAPI adoption in the banking sector. Vulnerability: Micro Focus Operation Bridge Reporter Even authentication APIs may lead to direct remote code […]
This week, we check out the recent API vulnerabilities at F5 and Facebook, there’s a new tool to locate regular expressions vulnerable to Denial-of-Service (DoS) attacks, and we have the recording of Ford’s recent talk on their API security policies and lessons learned. Vulnerability: F5 iControl REST API This one appears to be the most […]
This week, we look at an API vulnerability in a popular call recorder app, newly added OpenAPI support in Burp, a GraphQL pentesting lab, and the just-released Financial-grade API (FAPI) standard. Vulnerability: iPhone Automatic call recorder Anand Prakash found an API vulnerability in one of the most popular call recording apps for iPhone – Automatic […]
This week, we take a look at the recent API vulnerabilities reported at Microsoft and Truecaller Guardians, the new penetration testing labs for API security, and an upcoming webinar on the API security process at Ford Motors. Vulnerability: Microsoft online accounts API endpoints for resetting account passwords are a frequent attack vector. Attackers brute-force these […]
This week, we learn about the recent serious API vulnerability in VMware vCenter (if you have one, update ASAP!), why query and path parameters cannot be trusted for confidential data, how potential attacks can emerge from inconsistencies in JSON parser behavior, and how a VS Code extension can help fix API vulnerabilities. Vulnerability: VMware vCenter […]
This week, we take a look at the recent data spill incident at Clubhouse, the (poor) state of API security in major healthcare mobile applications, how scope-based reconnaissance methodology works, and the latest update (v3.1.0) to the OpenAPI Specification. Vulnerability: Clubhouse Clubhouse is an audio-only social network app for iPhone. Last Sunday, it had a […]
This week, we take a look at the recent API vulnerability at chess.com, resources for GraphQL API security, and some API security advice from Michael Cobb at TechTarget. Vulnerability: chess.com Sam Curry found an API vulnerability that allowed arbitrary account takeover in chess.com, a popular online chess community and app. Community members can exchange messages, […]
This week, we take a look at the security issues in cheap video doorbells and security cameras, as well as tutorials and webinars on protecting APIs running in Kubernetes, JSON web tokens (JWT), and web and API authentication and authorization. Oh, and we also have a link to DZone community awards where you can vote […]
This week, we take a look at the recently discovered API attack in NoxPlayer, the latest annual “State of Web Application Security” report by Radware, a detailed step-by-step pentesting tutorial, and a recording of a session on API security and Azure API management from AppSec Israel. Vulnerability: NoxPlayer [UPDATE] We have been contacted by a […]
This week, we check out a potential exposure of APIs developed with Spring Framework and OAuth 2.0 attack classification. There’s also a recording of a recent JSON web token (JWT) security webinar and an upcoming API security fireside chat at the Postman Galaxy event next week. Vulnerability: Spring Framework Application-Level Profile Semantics Frameworks make developer […]
This week, we look into some recent API vulnerability reports on YouTube and Amazon’s Ring Neighbors app, there is a new proposed addition to the OAuth standard, and Google has developed an API proxy extension for Chrome. Vulnerability: YouTube David Schütz found a clever way to get (limited) access to private YouTube videos via a […]
This week, we check out the recent API vulnerabilities at Facebook and Parler, there is a new GraphQL discovery tool called clairvoyance, and we have API security advice from Corey Ball. Vulnerability: Facebook Pouya Darabi found an API vulnerability in Facebook that allowed him to create posts on other users’ pages. The posts were not […]
Happy New Year 2021! This week, we revisit the API aspects of the SolarWinds breach and check out how APIs featured in the recent Ledger breach. There is also an API vulnerability found in Microsoft’s Office 365 Outlook and a new API development and security plugin for JetBrains IDEs. Vulnerability: SolarWinds The now-infamous SolarWinds breach […]
This week, we check out the API aspects of the recent SolarWinds and PickPoint breaches. Also, we have a review on how to shift API security left with GitHub and 42Crunch and an introduction video on GraphQL security. Breach: SolarWinds The SolarWinds hacking reported this weekend was not API-related as such. It was a supply […]
This week, we take a look at the recent API vulnerabilities reported at YouTube and 1Password, a detailed OpenID Connect (OIDC) security research, and how Assetnote Wordlists can be used in API discovery. Vulnerability: YouTube Ryan Kovatch was testing YouTube Video Builder beta when he discovered API flaws in YouTube APIs that it uses. When […]
This week, we have the recently reported API vulnerability in Duffel’s Paginator, a new API fuzzer from Microsoft Research, an upcoming JWT security webinar, and a recorded talk on approaches to API authentication. Vulnerability: Paginator Peter Stöckli from Alphabot Security has posted a write-up on the API vulnerability he found in Duffel’s Paginator (CVE-2020-15150). Duffel […]
Happy Thanksgiving to all of our readers in the US! This week, we take a look at the recent API security issues with Resource-Based Policy APIs at Amazon Web Services (AWS), Backup Gateway APIs at Tesla, and in Twitter Fleets. In addition, we have some free passes to the upcoming DeveloperWeek New York that includes […]
This week, we check out API vulnerabilities in the dating app Bumble and COVID-KAYA, an app for front-line healthcare workers in the Philippines. There’s also a new Forrester report and an upcoming webinar on API security, as well as a couple of recordings of API security talks from the recent API Specification Conference (ASC). Vulnerability: […]
This week, another API has been leaking voter data in the US, we take a look at Dynatrace’s API token best practices as well as Dredd, an open-source OpenAPI verification tool, and there is a video with tips on locating broken object-level authorization vulnerabilities in APIs. Vulnerability: Trump campaign’s post-election site Although the campaigns are […]
This week, we have the recent API vulnerabilities in Thrillophilia and GitLab, there is a new free online course on OpenID Connect, and OpenAPI support has been recently added in Cloudflare. Vulnerability: Thrillophilia Thrillophilia is an Indian online platform for discovering and booking travel experiences and tours. Ehraz Ahmed found that Thrillophilia exposed about 2 […]
This week, we check out three API vulnerability reports for Waze, Amazon Web Services (AWS), and the UK NHS COVID-19 app. In addition, the new Forrester study of the technologies constituting application security as of Q4 2020 has been published. Vulnerability: Waze Remember the fun “other cars” icons that Waze, Google’s social GPS navigation app […]
This week, we have the recent API vulnerabilities at GitLab and Grindr, the APICheck tool gets donated to OWASP, there’s a summary on the basics of API authentication options, and complimentary registration links for the online conferences API World and apidays London next week. Vulnerability: GitLab Riccardo Padovani found an API vulnerability in GitLab related […]
This week, we take a look at API vulnerabilities in HashiCorp Vault, Azure App Services, and “smart” adult toys. There is also an introductory video on finding information disclosure in JSON and XML API responses, and another cheat sheet and a webinar on OWASP API Security Top 10. Vulnerability: HashiCorp Vault Felix Wilhelm from Google’s […]
This week, we check out the recent API-related vulnerabilities at Twitter and Grandstream Networks, the newly added support for mutual TLS (mTLS) in AWS API Gateway, and the API security episode in the Application Security Podcast. Vulnerability: Twitter A misconfiguration in the Twitter developer portal caused browsers to cache API keys, account access tokens, and […]
This week, we check out three recent API vulnerabilities or breaches and what we know about them, and take a deep dive into cross-origin resource sharing (CORS). Vulnerability: Cisco Cisco has released critical security updates to IOS XE Software run by many of its devices. Two of the issues they have fixed are critical API […]
This week, we look into the recent API vulnerabilities at Facebook and the campaign apps for US presidential election, a new book on the OpenAPI Specification (OAS), and a guest post by API security trainer Mohammed Aldoub on how to build APIs that are easy to defend against attackers. Vulnerability: Facebook Marcos Ferreira found a […]
After the special 100th edition last week, which was all about API security advice from the industry’s thought leaders, this week we are back to our regular API security news, and we have twice the number of them, from the past two weeks. Vulnerability: Giggle Giggle is a women-only social network and mobile app. It […]
Today is a special day for our newsletter – our centennial issue and the number of email subscribers crossing the 5,000 mark (and in addition to that we have about 1300 followers on Twitter and a similar number of members of the API Security LinkedIn group). This has definitely grown significantly bigger than the original […]
This week, we check out the API vulnerabilities in the Mercedes-Benz connected cars and the Russian inter-bank money transfer system. We also have the upcoming ASC 2020 conference next week, as well as a recording of IIoT Cybersecurity panel discussion from the recent IIoT World event. Vulnerability: Mercedes-Benz car control The conference Black Hat USA […]
This week, we take a look at the recently reported API vulnerabilities in the COVID-19 tracing app Aura and in Kubernetes, some API security best practices, and a talk on OWASP API Top 10 from DEF CON 2020. Vulnerability: Aura COVID-19 tracing app Another mandatory COVID-19 tracing app, was found to leak personal information and […]
This week, we check out the recent API vulnerabilities in the gym management platform Fizikal and the HDL smart home automation. We also have a great detailed write-up on the recent HacktivityCon 2020 Capture the Flag challenge, and a DEF CON talk on leaking API keys. Vulnerability: Fizikal Apps use platforms to get to the […]
This week, we take a look at the recent vulnerability in Cisco Data Center Network Manager, as well as the API aspect of the data breach at MGM Grand Resort. Plus, we have a couple of tutorials: one on using Chrome Developer Tools to discover API paths, and an introductory one on GraphQL APIs and […]
This week, we have recent vulnerabilities in Zoom and OkCupid, progress on the draft for OAuth 2.1, and a video tutorial on discovering leaky APIs. Vulnerability: Zoom Zoom has become the household name of the times, with plenty of face-to face activities moving online. While this helps to keep the bugs of the living kind […]
This week, we have a potential username exposure in WordPress APIs, an upcoming API security training at the Black Hat USA 2020 conference, and some industry statistics on the poor security performance of web application firewalls (WAFs) and the importance of API security. Vulnerability: WordPress If you use WordPress, check if the REST API endpoint […]
This week, we have a report of a vulnerability in Google Sign In in a popular Indian video-sharing app, a new guide on typical OAuth implementation flaws, a tool for importing OpenAPI definitions into Burp, and a virtual training on API security. Vulnerability: Chingari Chingari is a popular Indian video-sharing app. With the latest steps […]
This week, Pen Test Partners take us to dive deep into why API vulnerabilities are so common in the cheaper smart tracker devices, and we also a vulnerability in TP-LINK’s Kasa Cameras. On the sunny side of the street, we have helpful simulators to figure out the different OAuth2 and OpenID Connect (OIDC) flows, and […]
This week, we check out the recent OAuth bypass at SEMrush, common JWT implementation mistakes and the Semgrep tool, regular expression denial of service (DoS) attacks, and a new online course on OAuth2 and OpenID Connect. Vulnerability: SEMrush OAuth2 implementation can be tricky. SEMrush has fixed an OAuth redirect_uri bypass reported by Yassine Aboukir. The problem […]
This week, we take a look at how Twitter API erroneously allowed browsers to cache sensitive data, and how skimmers have found a way to use Google Analytics APIs to get their hands on credit card data. Plus, there is a live demo of API hacking, as well as a new book on API security. […]
This week, we have the recent API vulnerabilities at Starbucks and in Drupal, a set of open-source tools by the Spanish bank Banco Bilbao Vizcaya Argentaria (BBVA), and extensions to Microsoft platform for integrating API security throughout it all. Vulnerability: Starbucks Sam Curry found an API vulnerability at Starbucks that exposed almost 100 million customer […]
This week, we take a break from vulnerabilities and direct our gaze to the wider landscape of API security. On the practical side, we have a toolkit for JSON Web Token (JWT) security. The more high-level items include a video on API discovery, an eBook on API security, and a discussion on the role of […]
This week, we take a look at the recent API vulnerabilities in Digilocker, Facebook, and VMware Cloud Director. On top of that trio, there is also a new instructive video on REST API pentesting. Vulnerability: Digilocker A critical API vulnerability in India’s digital wallet system, Digilocker, exposed personal documents of more than 38 million citizens. […]
This week, we have three API vulnerabilities in: Apple’s Sign in with Apple authentication endpoint Qatar’s COVID-19 tracking app GitLab’s Repository Files API In addition, there’s also a new Burp plugin that automatically handles authentication tokens in API calls. Vulnerability: Sign in with Apple Sign in with Apple is an OAuth-like social logon system from […]
This week, we check out the recently fixed vulnerability in Google Cloud Deployment Manager, and how to penetration test OAuth 2.0. On a higher level, we have Gartner’s classification of API security technology, and a recording of a panel discussion on API security. Vulnerability: Google Cloud Deployment Manager Google Cloud Deployment Manager is an infrastructure […]
This week, we take a look at how thousands of Android apps inadvertently exposed Google Firebase APIs, and how Arkansas Pandemic Unemployment Assistance (PUA) portal was leaking sensitive personal data. We also have a new pentesting tool for identifying data transformations used in APIs and apps, and a case study of four recent high-profile API […]
This week, we check out an API vulnerability in India’s coronavirus tracing app, a couple of write-ups on OAuth2 API attacks, and a recording of a talk on REST API penetration testing. Vulnerability: India’s coronavirus tracing app Elliot Alderson discovered API flaws in India’s COVID-19 tracking app, Aarogya Setu. In certain regions, the app is […]
This week, we check out GraphQL security, penetration testing with Insomnia and Burp, cheat sheets for OAuth2 and JWT, and what consequences the growth of API economy is posing for cyber security. Opinion: The 5 most common vulnerabilities in GraphQL Although the adoption of GraphQL is still fairly limited, it is undeniably on the rise. […]
This week, we check out how Microsoft Teams could be breached with a single GIF image sent in a chat, and Auth0 by changing the case of a single character. In other news, a report on security issues in smart home hubs has been published, and a new online training on OAuth2.0 and OpenID Connect […]
This week, API vulnerabilities have been reported in IBM and Cisco products, and some conferences and webinars related to API security are coming up soon. Vulnerability: IBM Data Risk Manager Pedro Ribeiro found a bunch of security vulnerabilities in IBM Data Risk Manager (IDRM). This is a control center that helps to locate, analyze, and […]
This week, unprotected APIs have allowed hackers to compile to put on sale a list of 1.4 million of US doctors, and GitLab has published details on the API vulnerability they recently fixed. We also have a recording of a recent API security conference talk, and an announcement of an upcoming training on OAuth and […]
This week, we check out the API vulnerabilities in the WordPress Rank Math plugin, Tapplock smartlock, and TicTocTrack, another kids’ smartwatch. In addition, an update to VS Code OpenAPI extension that adds static application security testing (SAST) for composite API contracts has been released. Vulnerability: WordPress Rank Math plugin A popular WordPress plugin, Rank Math, […]
This week, GitLab has fixed several vulnerabilities, including API vulnerabilities, and the draft for OAuth 2.1 has been released. If you find yourself stuck at home with extra time in your hands, why not check out the free course on web security that Stanford University is offering? Vulnerability: GitLab GitLab has released a new security […]
This week, new security issues have been reported in US election app, Voatz, and an API vendor has leaked 8 million shopping records in UK. In addition, ESG have shared some of their findings on API security and DevSecOps, and there is a new API security extension for Azure Pipelines. Vulnerability: Voatz We have already […]
This week, the state of security in Zyxel’s management console as well as in the field of IoT leaves room for improvement. Meanwhile, on the presentation front, we have an upcoming webinar on API DevSecOps in Azure Pipelines, and recordings from BSides SF 2020 are out. Vulnerability: Zyxel Cloud CNM SecuManager Pierre Kim and Alexandre […]
This week, we check out how Facebook’s OAuth implementation in their social login feature left the access tokens vulnerable. We also have some statistics and predictions on the rise of API security, and recordings of a couple of more API security talks have been published. Vulnerability: OAuth in Login with Facebook Doing a bullet-proof OAuth […]
This week, we check how Tinder’s API vulnerability has developed a life of its own, the latest statistics from Akamai on API security, the best current practices for JWT, and why API security needs both API firewalls and API management, not just either or. Vulnerability: Tinder Back in July 2019, we covered the OWASP API3:2019 — […]
This week, we take a look at how WordPress got exploited by a 3rd-party plugin, and how API security research can sometimes be a very ungrateful endeavor. In addition, we also have the cost of ignoring API security as showcased by Facebook, as well as several good JSON Web Token (JWT) talks. And as a […]
This week, we take a look at the recent API vulnerabilities found in SoundCloud and the electric scooter service Lime. In addition, we have a set of tips for API penetration testing, and NIST whitepaper on the microservices security. Vulnerability: SoundCloud Paulo Silva has published a very systematic and thorough report on API vulnerabilities that […]
This week, we check out a recent API vulnerability in Twitter. In addition, it looks like API vulnerabilities are a bit of theme in apps by political parties: vulnerabilities were discovered in apps by Israel’s Likud and the Democratic Party in USA. We also have two API security talks: one recorded and one upcoming webinar. […]
This week, we look at the recently patched API vulnerabilities in Microsoft Azure Stack and Azure Cloud infrastructure, and in Cisco TelePresence and RoomOS. In addition, there is a recorded conference talk on API pentesting, and Yelp has released an open-source tool for API fuzzing. Vulnerability: Azure Cloud infrastructure Ronen Shustin from Checkpoint Research has […]
This week, we take a look at where API security is at on Gartner Hype Cycle, what the threatscape for 2020 looks like to be according to McAfee, and a SANS Institute whitepaper on DevSecOps. Analysts: API security in Gartner Hype Cycle Gartner published their Hype Cycle for Application Security, 2019 a few months ago. The […]
This week, the OAuth 2.0 Token Exchange got its RFC, and there is an upcoming webinar on JWT. In addition, we take a look at where to start with securing your APIs, and how does 2020 seem to be shaping up, according to analysts. Standard: OAuth 2.0 Token Exchange IETF has published the RFC 8693 […]
This week, we check how several API vulnerabilities in TikTok can lead to attackers taking over the social media account, and how an admin plugin for WordPress had an API allowing for an authentication bypass. In other news, the OWASP security conference kicks off next week in California, and we take a look at API […]
This week, we look into the recent API vulnerabilities in Siemens plant operation control system, D-Link routers, and Cisco network management. In addition, OWASP has formally released their first-ever Top 10 list of API security. Vulnerability: Siemens SPPA-T3000 The application server of the Siemens plant operation control system SPPA-T3000 had API vulnerabilities. The AdminService API […]
It is all about vulnerable APIs this week. We are looking at the ones in Plenty of Fish dating app, Sony’s SonyLIV services, and Microsoft SharePoint. Also, there is a big leak of Facebook users’ phone numbers presumably harvested via APIs. Vulnerability: Plenty of Fish Dating apps contain highly personal information and thus are a […]
This week, we are looking into a huge API vulnerability exposing more than 47 million devices. Also, Microsoft and Google are dropping Basic Authentication support, and there is an opinion piece on the top risks of API security. Vulnerability: Thinkrace The platforms you are using to power your systems can add vulnerabilities. PenTestPartners looked at […]
This week we look at the recent API vulnerabilities in Amazon Ring’s Neighbors app and the Droom vehicle marketplace, articles on API security and WebSockets, an opinion piece on the most exploited API vulnerabilities, and a couple of recorded webinars. Vulnerability: Amazon Ring Gizmodo reports that Amazon Ring’s crime-alert app, Neighbors, exposes too much data […]
This week we check out recent API vulnerabilities in India’s statewide patient portal, at the mobile operator Airtel, and in Kaspersky Internet Security products. In addition, the results of Radware Web App Security survey are out. Vulnerability: India’s ORS patient portal A broken object level authorization (aka IDOR) vulnerability in India’s nationwide patient portal, Online Registration […]
This week, we look into a vulnerability in Microsoft Azure OAuth implementation that could have lead to take-over of Azure accounts. In addition, we take a look at the security in the shopping apps on mobile phones and 5G networks. In other news, the recording of our OWASP API Security Top 10 webinar is now […]
This week is all about API vulnerabilities. We found them everywhere: from client to cloud communications of Fortinet products to avatar hacks in Truecaller app, an authentication flaw in Nykaa Fashion, and yet another kids smartwatch system with almost total lack of security. Vulnerability: Fortinet Researchers from SEC Consult have found bad implementation in various […]
This week, we continue to look at the upcoming OWASP API Security Top 10, discuss organizational changes that can make organizations more cybersecure, check out another security checklist, and upcoming API security conferences. API vulnerability explained: Broken Object Level Authorization Broken Object Level Authorization (BOLA, aka IDOR) holds the #1 spot in the OWASP API […]
This week we look at the recent API vulnerabilities at Facebook, Amazon Ring, and GitHub. There is also an upcoming webinar on OWASP API Security Top 10 that you can attend. Vulnerability: Facebook Facebook has reported and fixed a vulnerability in their Groups API. This API and the information it exposes had been potentially abused […]
This week, API vulnerabilities were reported in Rittal cooling systems. In other news, there is an API vulnerability cheat sheet that you can print and put on your wall, an overview of common JWT attacks, and a GlobalData report on the trends in API management and API security. Vulnerability: Rittal industrial cooling Applied Risk has […]
This week, we check out the vulnerabilities fixed in EU’s eIDAS (electronic IDentification, Authentication, and trust Services) system and Cisco routers, how Instagram is seeking to avoid the privacy controversies that Facebook itself has had, and interesting predictions from Gartner’s latest API report. Vulnerability: EU eIDAS EU has patched the reference implementation of the eIDAS […]
This week, we take a look at the recent API vulnerabilities in smart prayer beads, Kubernetes, and Harbor, as well as analogies between API security and airport security. Vulnerability: ClickToPray eRosary Vatican has released ClickToPray eRosary, the smart rosary beads that — naturally — come with the accompanying mobile app. Unfortunately, the app had a […]
This week, we take a look at how out-of-date library compromises login to Twitter, how simple parameter switch gave access to over 150 million JustDial user accounts, and how holes in API security can lead a business to give out uncontrolled freebies. In addition, there is an update on Google’s decision to change the access […]
This week, Kubernetes API server was found vulnerable to the Billion laughs attack, NIST has opened their Zero Trust Architecture guidelines for commenting, and VS Code OpenAPI extension got an update with API Contract Security Audit built-in. Vulnerabilities: Kubernetes The Kubernetes API server is currently vulnerable to the so-called Billion laughs attack. This is the […]
This week, we ponder when is an API vulnerability a vulnerability, and check out Gartner’s new report and OWASP’s new API security project. Vulnerability: Cisco Webex and Zoom Definitions of API vulnerabilities can vary: what someone considers a vulnerability may be design to someone else. This is exactly the case with this week’s vulnerability. Cequence […]
This week, we take a look at Harbor’s API vulnerability, the flawed architecture of CRUD-based apps, PSD2 effect on API security, and API security tooling. Vulnerability: Harbor Harbor is a popular open source container registry. This week, researchers have found about 1,300 Harbor endpoints affected by an API vulnerability. The vulnerability is a classical case […]
This week, we check out the details of two API vulnerabilities at Uber and Get, the updated 42Crunch API security platform, and Red Hat’s vision of the future of API management. Vulnerability: Uber Anand Prakash found a way to do full account takeover on Uber through a vulnerability in their APIs. The same approach worked […]
This week, we look at the recent vulnerabilities at Verizon and Shenzhen i365-Tech GPS trackers, leaking S3 bucket names, and Facebook cutting API access for some of its partners. Vulnerability: Verizon 2 million Verizon Wireless Pay Monthly contracts were found open for anyone to access. The researcher managed to get a valid cookie while browsing […]
This week we look into the recent API vulnerability in Cisco routers, how MuleSoft handled severe vulnerability in their API gateway, API security aspects of communication PaaS, and passes for upcoming API World conference in San Jose, CA. Vulnerabilities: Cisco Cisco has implemented their REST API as a virtual service container for IOS XE. This […]
This week, Cisco and Facebook have patched their APIs, a detailed report on Solr parameter injection is out, and GitHub continues their fight against API keys and tokens in public repositories. Vulnerabilities: Cisco Cisco has released patches for several critical API security flaws in its Cisco Unified Computing System (UCS) software and Small Business 220 […]
This week, we take look at the recent location API vulnerabilities in dating apps and smartlocks. In addition, we have an API security video from RSA Conference in Singapore, and the survey results and API security recommendations from Cloud Security Alliance. Vulnerability: dating apps BBC has run a story on the common API vulnerability pattern […]
This week, we look at API vulnerabilities in Kubernetes and 3Fun, upcoming API Specification Conference, and slides from EIC 2019 conference presentation. Vulnerabilities: Kubernetes Kubernetes has fixed the API vulnerability CVE-2019-11247. This flaw allowed attackers to access, modify, or delete computing and storage resources configured across a Kubernetes cluster. The issue was with authorization logic […]
This week, we have a conference talk recording demonstrating API pentesting; see how the w3af web scanner can be used for APIs; look at SAP’s API security best practices; watch Cisco pay $8.6 million for not fixing vulnerabilities quickly. Conference talks The OWASP Global AppSec Tel Aviv conference has published a video recording of the […]
This week, we look into a validation vulnerability in Cisco APIs, security best practices for HTTP headers and OAuth 2.0, and the effect of microservice architectures on API security. Vulnerabilities: Cisco Cisco has fixed an API vulnerability in their Vision Dynamic Signage Director. The vulnerability stemmed from insufficient validation of incoming HTTP requests. An unauthenticated […]
This week, we take a look into API vulnerabilities found in Tinder and Axway SecureTransport. In other news, FTC and Equifax have reached a settlement related to the 2017 breach, and the slides for an API security talk have been posted. Vulnerability: Tinder Sanskar Jethi has found that Tinder enforces their premium features (such as […]
This week, we have a lot of high-profile API vulnerabilities, like Instagram, Zipato, and 7-Eleven. Also, 42Crunch has released a native API firewall for microservices in Kubernetes. Vulnerability: Instagram Laxman Muthiyah got his $30K bug bounty for reporting this vulnerability to Instagram: He managed to use the Instagram API to take over an arbitrary account. The […]
This week, we take a look at Zoom’s insecure API snafu that affects millions of Mac users, improvements to the OpenAPI support in Visual Studio Code (VS Code), the PolarProxy tool for TLS traffic decoding, the latest API breach fines, and a new survey on cloud security. Vulnerabilities: Zoom Zoom is a popular video conferencing […]
This week, we have seen some major adoption milestones for the OpenAPI and the DNS over HTTPS standards, we discuss the way to go about with TLS pinning and the X-Frame-Options header, some not-so-smart locks, and the updated API security tooling from 42Crunch. Vulnerabilities: Ultraloq smartlocks Ultraloq smartlocks come with a mobile app, and its APIs […]
This week, we look into the latest API vulnerabilities in Oracle WebLogic and OnePlus, API security workshop at Black Hat, API security tech landscape, and a new tool for OAuth and OpenID Connect debugging. Vulnerabilities: Oracle WebLogic Oracle WebLogic has issued a critical API security patch. Just like with an earlier similar issue, the flaw […]
This week, we discuss API vulnerabilities in TP-Link Wi-Fi extenders, Amcrest cameras, Venmo transaction feed, and GateHub cryptocurrency wallet. We also take a look at the API security aspects of microservices architectures. Vulnerabilities: TP-Link Wi-Fi extenders TP-Link Wi-Fi extenders are a popular way to get a better Wi-Fi coverage in houses and other spaces. Unfortunately, […]
This week, we take a look at API vulnerabilities at NVIDIA and Supra, an OpenAPI extension for Visual Studio Code, and an upcoming API security webinar from NordicAPIs. Vulnerabilities: NVIDIA GeForce Experience NVIDIA GeForce Experience (GFE) is a supplementary application that users install with other NVIDIA products to “capture and share videos, screenshots, and livestreams […]
This week, OWASP launched their Top 10 project for API Security. We also look at the changing landscape of OAuth 2.0 security, and the use of Postman and Burp for API penetration testing. OWASP API Top 10 The Open Web Application Security Project (OWASP) has long been popular for their Top 10 of web application […]
Vulnerability: First American First American Financial Corp. was leaking 885 million mortgage deals records until it was notified by KrebsOnSecurity last week. The leaked records included highly sensitive information such as social security numbers (SSN), bank accounts, tax records, and wire details. Presumably, the company did not want to secure the documents to simplify the access […]
This week, we take a look at the latest vulnerabilities in an ASUS update service and Linksys routers. In addition, there is a recent report on WAF customer satisfaction, and a new podcast on API security. Vulnerabilities: ASUS WebStorage We reported Dell’s Support Assist vulnerability few issues ago — and now the ASUS update service got a similar […]
This week, Samsung has leaked a token that provides full access to their SmartThings code repository, and Facebook fixed one API flaw but got fined for another. We also have a discussion of API security and DevOps, and look into a survey that Postman runs on the future of OpenAPI support. API keys We have […]
This week, there were a lot of API vulnerabilities including: Dell Cisco (a whopping three of them!) Oracle WebLogic DockerHub JustDial Millions of IoT devices based on iLnkP2P We also look into what implications 5G transitioning to REST and HTTPS brings to API security. Vulnerabilities and breaches Dell Probably the highest profile issue of the […]
This week, we look into the latest API vulnerabilities in cars, Nagios, and Portainer, as well as different OAuth 2.0 attack scenarios, and the time it takes for attackers to find new API endpoints. Vulnerabilities and breaches Some car owners install hardware GPS tracking devices in their vehicles. These are accessed and managed through mobile […]
This week, we check out the details of the recent API vulnerabilities in Tchap, Shopify, and JustDial. Elsewhere, Gartner reports a whopping 77% increase in inquiries on API security. And finally, we take a look at how an API’s OpenAPI definition can be the foundation for API security. Vulnerabilities Tchap Tchap is a messaging app […]
This week, we had vulnerabilities in remote car control apps and GPS-enabled watches. We also take a look at the API security trends in microservices and serverless architectures, and consumer electronics. Vulnerabilities MyCar is a remote control system that is installed in some cars under its own name or under a variety of brands, such […]
This week, Verizon has been patching their home routers, another GPS watch got breached, Shodan added an IoT monitoring service, and we take a look at API security best practices webinars and recommendations. Vulnerabilities Verizon is urgently updating their Verizon Fios Quantum Gateway home routers. Researchers from Tenable found multiple security issues in device’s API. […]
This week, NIST has released their microservice security guidelines, Facebook has removed some of their security for whitehat researchers, and we continue the discussion on how to store API secrets safely. Industry standards and best practices US National Institute of Standards and Technology (NIST) published their draft on “Security Strategies for Microservices-based Application Systems”. The document includes […]
This week, we dive under the skin with unprotected APIs on implanted cardiac defibrillators, and take a spin with a hacked tornado warning system in Texas. We have a story on how Uber used API vulnerability to drive competition out of business. And finally, we also look into how to store API keys and prevent […]
This week, we had another mobile app leaking user data, and the first ever CEO resignation because of an API breach. There’s also: The best practices for AWS API Gateway security Gartner’s advice to CISOs on cloud security Security implications of the OpenAPI Specification (OAS) Vulnerabilities in machine learning Vulnerabilities The mobile application 63red Safe had […]
This week, we have seen vulnerabilities in 3 million car alarms, snowboard helmets, and virtual worlds. In other news, there is a new API security platform built around OpenAPI contracts. We also take a look at the SANS checklists and HTTPS/TLS tutorials. Vulnerabilities This was a good week for PenTestPartners. They have uncovered a couple […]
This week, we got vulnerable APIs in Kubernetes, real estate services in Australia, and Amazon Ring cameras. We also take a look at upcoming healthcare API standards in the US changes in attack trends between 2017 and 2018. Vulnerabilities Kubernetes continues to have API vulnerabilities (see our earlier issues 9 and 13). This time, it […]
This week we look into vulnerabilities at Uber and Drupal, the best practices from the ICANN DNS security checklist, the upcoming European IoT security standards, and more vulnerability stats from 2018. Vulnerabilities This is the worst API vulnerability of the year so far. Drupal‘s RESTful Web Services (rest), JSON:API, and other web services modules allowed […]
This week, we look into the latest vulnerabilities, patches that TLS libraries require, and best practices for token management security. Vulnerabilities You’d think casinos are at the forefront of security, after all they handle money. Apparently, this is not always the case. Atrient’s digital rewards kiosks for casinos used public unencrypted APIs to communicate with the backend servers. […]
Vulnerabilities We have reported on API vulnerabilities in kids’ smartwatches before. The watches remain vulnerable to API attacks, these stories just keep pouring in: The European Union is recalling Enox Safe-Kid-One smartwatches because of vulnerable APIs. The APIs have no authentication or encryption, so attackers can access them, retrieve any information on them (like location), change […]
This week we are mostly discussing best practices and tools, such as: The best methods to pass API keys and other sensitive data Tools that attackers use to discover APIs Why API security is never set-&-forget Risks Never put API keys or other sensitive information in URLs or query parameters. These are visible to browser […]
Vulnerabilities Another CPU DoS vulnerability in Go TLS (CVE-2019-6486) got fixed. This vulnerability impacts APIs implemented as Go microservices. The vulnerability enables attackers to exploit: TLS handshakes X.509 certificates JWT tokens ECDH shares ECDSA signatures. To fix the vulnerability, upgrade to Go versions 1.11.5 or 1.10.8. Best Practices DNS infrastructure is critical for web and […]
Vulnerabilities A team from Check Point Research reported a serious vulnerability in Fortnite authentication API: An old unused subdomain had a misconfigured web application firewall (WAF) that relied only on blacklisting. Attackers could perform a SQL injection in the subdomain to plant their XSS script. Fortnite allowed log in with Facebook and Google credentials using […]
Vulnerabilities Noam Rotem found a dangerous combination of vulnerabilities in the APIs of Amadeus flight booking system and El Al airline: The Amadeus API allowed for brute force enumeration of booking identifiers, also known as passenger name record (PNR). The El Al API provided both personal and booking details for any PNR. Once attackers knew the […]
Vulnerabilities Another OAuth hack, and another reason why using OAuth for authentication can be dangerous. Researches by SafetyDetective found that Microsoft had 400 million users exposed. Outlook, Store, and other services allowed wildcard *.office.com as a valid wreply URL for tokens from login.live.com. Attackers noticed that and managed to grab the success.office.com domain in Azure. Now, […]
Happy New Year to everyone! Here are a few stories that we have collected for you during the holidays. Vulnerabilities We have previously covered NUUO security cameras vulnerabilities, this time critical API flaws have been reported in Guardzilla cameras. Bitdefender Labs reported multiple issues including: Hardcoded credentials for cloud APIs, Sequential IDs used for user-level […]
As we are wrapping up 2018, you can’t help looking back at the record number of high profile API breaches that happened this year and wondering what can be expected next year. However, it is not all about the holiday mood: this week was also marked by a security hole in mutual TLS authentication in […]
TL; DR; If your source code is written in Go and it uses one-way or mutual TLS authentication, you are vulnerable to CPU denial of service (DoS) attacks. The attacker can formulate inputs in a way that makes the verification algorithm in Go’s crypto/x509 standard library hog all available CPU resources as it tries to verify […]
Vulnerabilities Another API vulnerability has been found in Google+ (we reported on the previous one in our first newsletter back in October). Turns out that an update that Google rolled out in November put user data at risk because permissions were not properly enforced. The API could provide access to user profile data even if the data was […]
Vulnerabilities If you are using Kubernetes, you should install a patch for it as soon as possible. There is a huge privilege escalation vulnerability that got fixed this week. The flaw allows attackers to contact Kubernetes API server using a non-privileged account and then get high-privilege operations forwarded to backend services. Even worse, the calls are not showing […]
Vulnerabilities United States Postal Service (USPS) just fixed an API vulnerability. The vulnerability seems to have been a combination of: Developers not expecting outsiders to bypass the web page and use the API directly Insecure Direct Object Reference (IDOR), authenticating as one user and getting data of another user Leaky API where wildcards were not […]
Vulnerabilities This is as ugly as it gets: MiSafes kids’ watches allow accessing very specific information on a child, such as photo, gender, age, height, location, and even provide a remote microphone access. API calls are not secured by TLS and are open to Insecure Direct Object Reference (IDOR), meaning that as long as you have […]
Vulnerabilities An API vulnerability was found in the license generation API of Valve’s Steam gaming service and marketplace. Anyone who had registered at their partner portal for developers could call their /partnercdkeys/assignkeys/ with unexpected parameter values (for example, a random string as a partner name and 0 as the request count) and get thousands of keys in the […]
Vulnerabilities Do not use TLS client authentication, unless you are already on TLS 1.3. With TLS 1.2 and earlier, when you use client authentication, the client certificate is transmitted in the clear. This contains enough information to uniquely identify the user. Hundreds of thousands of projects use cURL and purposefully disable the verification of TLS host […]
Vulnerabilities Remini, a mobile app that schools use to communicate with parents, had kids’ profiles including pictures, email addresses, phone numbers, and milestones accidentally publicly exposed through an API. No authentication was required, because developers assumed that only their mobile app knows that the API exists, and account IDs used were sequential, so hackers could simply […]
Vulnerabilities The Shopify vulnerability happened (and was fixed) back in May 2018. This week, Arif Khan goes into the details of the vulnerability and the lessons that we can learn from it for microservices and API security in general. In a nutshell, microservices themselves and the underlying cloud platform expand the attack surface. It is […]
Vulnerabilities GoDaddy 2-step authentication API found to be vulnerable. The API lacks rate limiting and does not impose timeouts after failed second factor attempts. This opens doors for brute force attacks on the second factor. AWS Honeytokens designed by Amazon to help security specialist attract attackers and detect attacks turned out to actually be discoverable. […]
API Vulnerabilities Samsung smart TV security flaw: the equipment would basically accept commands from any source, so someone knowing the device ID would be able to invoke various functions remotely. API allowed hackers to “change TV channels, turn up the volume, play unwanted YouTube videos, or kick the TV off a WiFi connection”. Firmware update […]
Copyright 2018-2022 42Crunch Ltd, All Rights Reserved.