Issue 1: APIStrat, CORS, Samsung, Google, Facebook, GitLab, Apple
Samsung smart TV security flaw: the equipment would basically accept commands from any source, so someone knowing the device ID would be able to invoke various functions remotely. API allowed hackers to “change TV channels, turn up the volume, play unwanted YouTube videos, or kick the TV off a WiFi connection”. Firmware update for 2018 models is out fixes that by limiting calls to Samsung servers only. Fix for 2017 models is on the way.
Google: is shutting down Google+ service following security flaw in Google+ APIs that exposed private user information.
Facebook: details by Prabath on how a custom OAuth implementation led to the massive breach.
GitLab: private events (confidential issues, private merge requests, private milestones and more) were exposed via the API and were just filtered out by the UI.
Apple: vulnerabilities in Apple’s device enrollment API: authentication is optional, there is no rate limiting (opening to a brute force attack), serial numbers are predictable.
APIStrat “Advanced API Security Patterns”: session slides published by the speaker, Isabelle Mauny.
Cross-Origin Resource Sharing (CORS): Great overview of the technology by Grzegorz Mirek.
Radware / Merrill Research: According to the second annual State of web application security report (commissioned by security firm Radware and based on a survey of more than 300 executives and IT professionals at global companies by Merrill Research): “with 82% of organisations that use API gateways doing so to share and/or consume data, but 70% of respondents do not require authentication from third-party APIs, 62% do not encrypt data sent by APIs, and 33% allow third parties to perform actions, opening the door to additional threats.”