Issue 249: Major API breach at Optus, CocoaPods exposed, Bad Bots and API DoS attacks, Webinar: 2024 API breaches

This week, we share reports on the latest insights into the API breach at Optus and CocoaPods vulnerabilities reveal severe risks from the software supply chain. We examine the importance of API input validation for blocking DoS and authentication attacks. And finally a mention of our upcoming webinar examining recent API breaches and how to prevent them.

Breach: API Governance and PII data exposure at Optus

A recent report from The Register explains how a coding error in an API’s access controls exposed the personal identifiable information (PII) of millions of Optus customers. We originally reported on this breach in Issue 203, from October 2022.

Importantly, the coding error was discovered and fixed for the API in one domain but was missed for another unused domain. This unused and vulnerable domain allegedly remained publicly available on the Internet for years, where it was eventually exploited by a malicious user to steal millions of customer records, including passport and driver’s license numbers and birth certificate information.

In this case, the target API was not in use and should have been decommissioned. API discovery tools are sometimes offered as a solution to finding unknown or forgotten APIs. However, how do you automatically discover an API that is both forgotten and unused? Additionally, most APIs use HTTPS where the API path is encrypted until TLS is terminated, so you need to know exactly where to look to find evidence of an unexpected API endpoint. With API discovery, you can’t find what you’re not looking for, let alone what you can’t see.

Forgotten “Zombie” APIs are often the result of a lack of collaboration between development, operations, and security teams. Organizations that want to avoid legal action due to these types of API breaches should have explicit API governance processes in place to ensure that no API goes into production without the knowledge of the security team, and that an appropriate end-of-life process is implemented for every API. 

Vulnerability: Millions of devices impacted by Cocoapods software supply chain vulnerabilities

Researchers at EVA Information Security have discovered major vulnerabilities in Cocoapods ecosystem, with potentially devastating consequences for millions of iOS users and devices

Some of the vulnerabilities in this case were a direct result of flaws in API security. For example, ownership of Pods could be claimed by unauthorized users through an API that does not require authentication or authorization. The unauthorized user could then modify the Pod and affect all dependencies downstream in the supply chain, including major technology vendors, their applications, and devices. 

Researchers also discovered a flaw in an API used to generate a session validation URL. The API code failed to properly validate input on HTTP headers, allowing a spoofed X-Forwarded-Host (XFH) header in the API request. This header was then used to set the domain of a session validation link, effectively passing the session validation under the control of an attacker.

While these API vulnerabilities are worth considering, the most significant issue revealed is modern software development’s deep reliance on third-party and open-source software components. Vulnerabilities in these components, and even in the systems we depend on to manage these components such as CocoaPods, have profound consequences for dependent applications and APIs.

A recommended step to help manage software supply chain risks is the adoption of a Software Bill of Materials (SBOM), to provide an inventory of all components used to create an application or API. Evaluating risks can also help teams make informed decisions to avoid unsafe consumption of third-party APIs, which makes the list of OWASP Top 10 API Vulnerabilities.

Vulnerability: Logging utility found vulnerable to API DoS attack

Fluent Bit is a logging utility used by many major global companies such as Google, Cisco, and Walmart. Recently, Tenable reported a vulnerability in a Fluent Bit monitoring API that could be exploited to corrupt memory and crash the service.

A common playbook used by hackers is to send corrupted input to an API in order to invoke an unexpected response and reveal an exploitable vulnerability. An API vulnerable to this attack will accept and process input data, without first performing the appropriate checks and validations to ensure the input is safe to use. This is typical for example of APIs deemed vulnerable to SQL injection or Path Traversal attacks.

With Fluent Bit, the API code was developed to assume that the input type was always a string, a pretty dangerous assumption by the developers as it turned out. When strings were replaced with integer values, the API blindly treated the input as the expected string types. The researchers were then able to exploit the discovered vulnerability and crash the system.

Your API testing team can adopt the mindset of a hacker and probe the API for vulnerabilities using malformed input and invalid data types. For example if an APIs input field is defined as a string, then test the APIs behavior when the input is a boolean, or an integer, or null. You can automate and scale these tests by leveraging an API’s OpenAPI file to read the expected data type for each input field. Then automatically fuzz the data type and verify the API’s response (anything other than a ‘400 bad input’ response likely indicates a security vulnerability).

If you want to learn more about this topic, be sure to check out the upcoming 42Crunch webinar mentioned below.

Report: How Bad Bots are targeting authentication APIs

In a 2024 industry report on “bad bots”, Imperva recorded that 30% of API attacks were automated attacks, often seeking to exploit vulnerabilities in business logic. Additionally, nearly half of all account takeover attacks target authentication APIs, using credential stuffing and brute force attacks.

Business logic vulnerabilities can be discovered through APIs by various means. As we saw in the previous article, hackers often send corrupted data in the API request in order to invoke unexpected behavior or response from the API.

It is therefore important for API developers to ensure proper input validation of all incoming API requests, including the request payload, parameters, and headers. This can help limit a hacker or bot’s ability to probe an API with corrupted data to discover a vulnerability.

Additionally, even with reliable input validation, APIs can also be vulnerable to excessive data leaks. Again, API developers must ensure proper inspection and authorization of the API response to ensure additional business data is not unintentionally exposed.

Targeting authentication APIs also raises the need for rate limiting at the API level. Traditionally, businesses are well aware of the need to protect websites and applications against denial of service and brute force attacks. But as software teams move toward more API-centric development, security controls must also be applied specifically to protect API endpoints that might otherwise be vulnerable to account takeover attacks.

Navigating the Depths of API Security with Microsoft & 42Crunch
July 10, 2024 | 10am PDT | 6pm BST

42Crunch and Microsoft give a deep dive on API security testing as part of the Reactor spotlight on GitHub Advanced Security. From scanning OpenAPI specs to dynamic testing, they’ll equip you with practical strategies to harden your APIs against attacks.

Register here

Review of Major API Security Breaches from H1 2024

July 11, 2024 | 9am PDT | 5pm BST

I’m joined by my colleague Heshaam Attar as we review some of this year’s high-profile API vulnerabilities and breaches including the F5 Big-IP Next device and the Trello and Spoutible APIs. 

Register here

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy