Issue 211: SQLi vulnerability in Zendesk Explore, Twitter API vulnerability, API threats to data-driven enterprises

This week, we have news of a vulnerability in the API of the Zendesk Explore platform allowing an attacker to inject malicious SQL payloads. We also have coverage of the recent breach affecting up to 5.4 million users of the Twitter platform. We also have two articles โ€” the first is an article on the threats posed to data-driven enterprises due to API attacks, and the second is a report on the 257% increase in API attacks on financial services.

Vulnerability: SQL injection vulnerability in Zendesk Explore API

This week Varonis Threat Labs reported two vulnerabilities within the popular Zendesk ticketing and support system affecting their Explore component. The first was an SQL injection vulnerability allowing attackers to inject arbitrary commands into the underlying database. The second issue involved a vulnerability in an API endpoint that provided an execute-query function to modify platform documents. Due to a weakness in the implementation, the researchers discovered that the API endpoint did not validate that the API caller had permission to access the data records specified and could modify queries to extract arbitrary data from other database tables.

The researchers reported that the flaws could have allowed an adversary to access the Zendesk core and exfiltrate conversations, email addresses, tickets, comments, and other information. Zendesk has since patched the vulnerabilities, and the researchers have confirmed that the vulnerabilities are no longer exploitable.

This sounds like a fairly typical case of API1:2019 โ€” Broken object level authorization โ€” in this case, the API failed to validate that the caller had permission to access the tables specified or execute the queries provided.

Breach: Twitter API vulnerability leaks data from 5.4 million users

The other big news this week is further detail of the recent data leak from Twitter affecting up to 5.4 million users. The attack is believed to have been committed in December 2021. According to privacy advocates and researchers, compromised account details (typically email addresses or phone numbers) are still available for sale online.

This breach exposes how easily a motivated attack can use a relatively benign flaw to harvest large volumes of valuable data for use in subsequent targeted attacks. In this case, the attacker targeted a Twitter login API endpoint and randomized the submitted email using publicly available email lists. The API would always return a failure (unless the attacker miraculously guessed the password); however, what was interesting to the attacker was the body of the response returned. If a valid email were submitted, the API would return a failure code but within the response, it also returned the email address and the phone number associated with the account. So by guessing email addresses, the attacker could get Twitter to confirm they were associated with a valid Twitter account.

Twitter confirmed the breach in August this year, and the vulnerability has since been remediated. While the existence of an account does not in itself represent a risk to a user, it would allow an attacker to target users with phishing attacks or social attacks.

From an API security point of view, there are potentially two issues at play here, namely:

Article: API security driving threats to data-driven enterprises

Since APIs are primarily conduits to data within an organization, it is hardly surprising that data-driven enterprises are at the most risk of insecure APIs. Due to their public nature (exposed on public networks and documented in the public domain), APIs are a relatively easy target for attackers. Combining this with the relatively high value of the data exposed by APIs results in an increasing threat to APIs.

The article identifies three main causes of insecure APIs, namely:

  • Authentication flaws: as readers will be aware; authentication flaws are one of the top causes of insecure APIs. Make sure that you use consistent implementations of authentication handlers using standard patterns and components.
  • Lack of encryption: never use an HTTP channel for APIs, and ensure that HTTPS is enforced with an appropriate security configuration.
  • Flawed endpoint security: ensure that potentially more vulnerable IoT device are implemented and tested adequately.

The article concludes by stressing the value of a design-first security approach for new API development.

Article: Attacks on financial services APIs up by 257%

In brief, we have some key takeaways from recent research by Akamai Technologies into the prevalence of web application and API attacks against financial service institutions year-over-year. Their report concludes that the occurrence of attacks has increased by as much as 257% and that distributed Denial-of-Service attacks have increased by 20%.

The report’s authors identify two primary reasons for this trend: firstly, the attack surface is growingly rapidly and providing more opportunities to attackers, and secondly, organizations lack the requisite skills to protect their assets. They also suggest that the ease with which API attacks can be automated is a major contributing factor to the increase in API-based attacks.

There are probably no great surprises here for readers of the newsletter, but it is always instructive to see the current trends and observations.

Webinar: Review of the Major API Breaches from H2 2022

Join me next Tuesday (December 13th, 2022 | 8am PST | 4pm BST) when I review some of the major API breaches that occurred in the second half of this year. In this practical webinar, I outline the API vulnerabilities that were compromised during the attacks and show how to protect against them.

In this session, we will cover the following:

  • Gain an understanding of how the API vulnerabilities occurred and the resulting impact.
  • Examination of the underlying OWASP API security Top 10 flaws.
  • Demonstration of how 42Crunch can detect and protect from such vulnerabilities.



Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy