This week, we have news of three vulnerabilities. The first is a vulnerability affecting the Wordle online puzzle allowing curious users to check solutions and even publish their own puzzles. The second is further coverage of the mass information leak from Twitter, and finally, we have coverage of an AWS IDAM API bypassing central CloudTrail logging. Finally we have some quick takeaways from a recent Gartner Innovation Insight report.
A message from the editor
The last six weeks have been a period of unprecedented activity for 42Crunch and me: from packed events at Developer Week and OWASP Netherlands to the RSA 2023 conference, where we were guests of both GitHub and Microsoft and preparation for our first in-person API security training in May in Amsterdam. Unfortunately, this has impacted the regular cadence of the APISecurity.io newsletter.
I want to assure our regular readers that the newsletter is a priority for both 42Crunch and me. A regular publishing schedule will resume bringing you the best API security news every week. Additionally, I am considering some additions to the website, including learning resources, tool guides, and how-to guides. As ever, if you have suggestions or content that you would like to see featured, please do get in contact via the website or Twitter.
Vulnerability: Wordle API vulnerability exposes answers
In one of the more surprising vulnerability disclosures in recent times, a security researcher revealed that he could reverse engineer the API of the Wordle web application to reveal the answers to the current puzzle and also future puzzles. The researcher used the standard developer tools within the Chrome browser to examine the requests and found that a JSON file returned the results for the current puzzle. He also discovered that the JSON filenames for upcoming days were embedded within this file, allowing him to execute an API GET request to retrieve the results of puzzles for upcoming days.
The researcher also found that it was possible to make POST requests to the server to change items on the network, such as the answers for future puzzles. Although not massively impactful, this could have been embarrassing for New York Times if a rogue had posted profanity or offensive content.
This vulnerability disclosure shows how easily a curious attacker could use simple browser tools to examine a web API and relatively easily compromise it.
The key takeaways here are:
- Beware of API3:2019 — Excessive data exposure — in this case, the API leaked information about upcoming puzzles in the results JSON file.
- The API endpoint allowing uploads was vulnerable to API5:2019 — Broken function level authorization — only authorized users should have been able to upload new puzzles.
Vulnerability: Twitter API breach is a goldmine for PII and social engineering
We have previously covered the widely reported Twitter API breach. and this week, we have coverage from VentureBeat discussing how APIs are a goldmine for PII and social engineering. As previously discussed, the breach leaked information about Twitter users with valid accounts, including their email addresses, phone numbers, and Twitter IDs. Estimates vary, but as many as 200 million users could have been impacted.
Now this information in itself is not sufficient to gain account access and/or PII information; however, a database of this sort can be extremely valuable to criminal gangs who may use it to launch targeted spear phishing campaigns against known Twitter users. Typically, these attacks deploy false login or password reset pages, trick users into submitting their actual Twitter login credentials, or capture account reset details.
I can’t entirely agree with the conclusion quoted in the article — the leak of information was not due to a flaw in the API implementation (it did exactly what it was supposed to do), but rather due to very prolonged and undetected exfiltration, which was not detected by intrusion detection systems (IDS). Even a perfectly secure API can be abused by a clever attacker.
Beware of emails purporting to come from Twitter unless you have initiated a password reset process.
Vulnerability: AWS exposed dangerous, undocumented API
Security researchers at Datadog discovered that the built-in AWS CloudTrail logging service was not logging an undocumented API in the AWS management console, as would normally be true for AWS services.
The affected API allowed access to specific identity and access management (IAM) requests which are security sensitive. Such a shortcoming in the logging regime means that an adversary could have made calls to this API service while remaining entirely undetected. At the time of writing, there is no indication as to whether this issue had been resolved.
This is an example of API10:2019 — Insufficient logging and monitoring.
Report: Seven takeaways from Gartner 2022 Innovation Insight for API protection
Finally, this week, we have coverage of the recently published Gartner Innovation Insight report for API protection. Many of the findings resonate with views shared in this newsletter and include the following:
- Highly regulated industries are focusing more closely on API security.
- Traditional security tools are insufficient to cover all aspects of API security, frequently leaving gaps in coverage.
- Organizations should combine three pillars: discovery, posture management, and runtime protection.
- Runtime protection is critical for all APIs.
- The industry needs standalone, best-of-breed API security vendors.
I particularly appreciated the quote from Dr. Anton Chuvakin in describing the challenges of API security:
“API security is a very tough problem because it’s multi-dimensional. You need to be an app sec expert. You need to be a network security expert. You need to understand the business and the application. So you need to know the business, IT, and information security.”
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy