Issue 254: WhatsApp and IBM WebMethods vulnerabilities, 3rd-party API and LLM risks, API access controls


This week, we investigate a recent flaw in WhatsApp’s View Once privacy feature and also critical vulnerabilities reported in the IBM WebMethods integration platform. We highlight a NordicAPIs article on the risks from third-party API and LLMs, and an article on solving the challenges of fine-grained access control for APIs. There’s also an interesting webinar examining how GenAI can increase the attack surface for risky APIs.

Vulnerability: WhatsApp client-side security flaw

A research team at Zengo has discovered a flaw in WhatsApp’s View Once privacy feature. This feature allows a WhatsApp user to send photos, voice messages, or videos that disappear from a chat after the recipient downloads and opens them once. The feature also prevents a recipient from saving, sharing or even screen-capturing a photo or video on their device. 

The discovered vulnerability is an example of inappropriately offloading privacy or authorization checks to the client-side that should actually be performed at the API server.  

Basically, the way WhatsApp has implemented this privacy feature involves the recipient’s WhatsApp client sending a request to the WhatsApp API server to download a photo, for example. The client includes a property in the request called “viewOnce” which will be set to true if the original sender has enabled the View Once privacy restriction. 

The problem is that it is easy for the recipient to change the viewOnce property from true to false if they know how to bypass the client and call the WhatsApp API server directly. In this case the photo is downloaded without its View Once restrictions, overriding the privacy set by the sender and original owner of the photo.

This is a fairly common mistake made by developers who offload authorization or privacy checks to the client. We previously reported on similar incidents, such as a vulnerability found in an app by Siemens.

For more technical details, I recommend the Zengo team’s in-depth report, which includes a video demonstration of the exploit.

The key is to always apply authorization or privacy checks at the API, not at the client level.

Vulnerability: Critical bugs in IBM’s WebMethods platform

This month, IBM released a security bulletin describing critical and high vulnerabilities discovered in its WebMethods Integration platform. 

According to a report by PRNewswire, IBM acquired WebMethods from Software AG earlier this year. WebMethods is widely used for service integration and API management. 

The reported vulnerabilities allow a malicious user to upload and execute arbitrary files on the platform, or grant escalated privileges to a malicious platform account. WebMethods is also vulnerable to path or directory traversal attacks, where a malicious user injects path traversal patterns into the input (“../..”) to trick the platform into sharing access to unauthorized parts of the file system. 

Security vulnerabilities in a trusted API management platform can be exploited by hackers to gain unauthorized access into other parts of the API infrastructure.

IBM strongly recommends that affected users apply the provided patch to fix these issues. 

Article: Unsafe API consumption and LLM integrations 

Many tech companies are excited about enhancing their products by integrating AI solutions. According to one analyst, in the near future “at least 70% of any software product you touch is going to have an AI component to itself”.  

For teams considering deploying and managing a large language model (LLM), OWASP has launched a new Top 10 project to raise awareness of LLM-specific security risks. This is a timely reminder to consider the potential security implications of using LLMs.

AI platforms provide their own sets of APIs to allow developers to integrate AI services into their own products. These AI platforms also consume other third-party APIs, creating a complex supply chain of API producers and consumers. This can expose teams to vulnerabilities from unsafe API consumption.

A recent article by Art Anthony of NordicAPIs highlights the security risks of integrating with third-party APIs, including security issues caused by over-reliance on LLMs.

For teams with projects underway to integrate and leverage an LLM or other third-party platforms, this article provides important food for thought.

Article: How to implement fine-grained API access control 

Four of the top five OWASP API security vulnerabilities involve access control; specifically authentication or authorization. This indicates a broad consensus that access control vulnerabilities represent the most critical risk to APIs. 

For example, Imperva reported that 44% of all recorded account takeover attacks in 2023 specifically targeted APIs, so hackers are certainly focusing on APIs as vulnerable access control points. 

In addition to managing this security risk, API development teams must also implement increasingly complex access control policies. Product managers are tasked with delivering services and features at a fine-grained level, often based on customer requests or sales strategies. The challenge for API teams, then, is how to deliver more complexity with less vulnerability.

In this article, Michal Trojanowski from Curity describes the concept of Attribute-Based Access Control (ABAC) for APIs. His proposed solution combines the security of a well-implemented Oauth-based authorization flow with the fine granularity of claims-based policies, which can meet the needs of enterprises to provide more access options to product services and features in a secure manner.

Given the importance of access control vulnerabilities to API security in general, this article is definitely worth reading.

Article: Promoting secure practices for API developers

A recent article from Cyber Security News explains why developers play such an important role in an organization’s cyber defenses and outlines practices a team can adopt to help prevent common vulnerabilities. 

Secure coding practices and regular security testing can go a long way in preventing API vulnerabilities from leaking into production environments and being exploited by hackers. It’s worth noting that many of the API incidents we report in this newsletter are often a direct result of mistakes and oversights during the API development process. Secure development practices, implemented consistently, can remove entire classes of vulnerabilities from the API code. API developers and testers have a responsibility in this regard, and awareness is essential.

Aside from secure coding and testing, the article also encourages developers to take on leadership roles by staying informed about emerging threats and to be active in promoting security awareness within the team. 

With this goal in mind, consider sharing APISecurity.io with your API development and testing teams as a resource to stay informed about emerging threats and vulnerabilities in the API security space.

Webinar: When GenAI Meets Risky APIs

As Generative AI adoption grows across the enterprise, so does the risk surface for potential data breaches and attacks. API security is a must have if you want to enable the responsible and effective deployment of GenAI technology.

Join my colleagues from 42Crunch as they demonstrate how GenAI can be used to exploit unsecured APIs to gain unauthorized access, inject malicious prompts and manipulate data. Also, learn how to prevent your APIs from being undermined by adopting a proactive API security as code approach to defending your APIs.

Register here


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy