This week, we share the Radware 2024 threat report highlighting APIs as a primary target of attacks. We also look at API vulnerabilities reported in the Medefer health platform and Zitadel’s identity management solution. The Hacker News investigates if Pentesters are about to go extinct, and finally we have an article on Open Banking and API security challenges in APAC.
Industry Report: Radware report highlights API vulnerabilities
Radware has published a new industry report analyzing attack trends in 2024. The section on “Web Application and API Threats” distinguishes API attacks primarily targeting API business logic or core functionality.
This represents a unique challenge for API security, as attacks often target bugs specific to the functionality or data of each API. This makes it extremely difficult to apply generic security controls to effectively protect APIs against attacks.
In the report, Radware noted a 41% increase in Web Application and API attacks since 2023. Vulnerability exploitation accounts for over a third of all malicious requests.
The lack of proper API documentation is also highlighted as an indication of insufficient security or unmanaged APIs, which are frequently targeted by hackers.
Vulnerability: Medical records exposed by unsecured API
The UK’s National Health Service provides an electronic referral system through an ecosystem of online healthcare providers. According to a recent report, a whistleblower from Medefer, a company participating in the e-referral system, claimed that an unprotected API exposed medical records that were previously transferred to Medefer from the systems of the NHS.
“When a patient is referred to Medefer, the firm receives patient data from e-RS or the NHS Spine to make it available to medics, who provide online consultations”
Apparently the vulnerable API was accessible without any authentication. Although the company claimed to have fixed the issue within 48 hours, the whistleblower, a software testing contractor for Medefer, suggested the flaw in the company’s API may have existed for six years, according to reporting on ComputerWeekly.com.
The complexity of supply chains and ecosystems poses a major challenge for API security as threat actors will target the weakest link in the chain to compromise the entire system. At a minimum, access to private data via APIs should be protected by appropriate authentication and authorization controls.
Medefer indicated that penetration tests conducted by a third party a few months earlier failed to uncover the API vulnerability. Either the API vulnerability was recently introduced, or the penetration tests left a lot to be desired!
Article: Will AI replace Pentesters?
Speaking of pentesters, an article on The Hacker News asks the question if AI is about to replace humans by fully automating penetration testing.
A similar argument has been made about the impending demise of software developers at the hands of AI, although the quality of code generated by AI is not without its discontents.
Having reviewed hundreds of POCs and bug bounty reports while preparing the APISecurity.io newsletter each month, two impressive characteristics I notice in pentesters and hackers are persistence and ingenuity.
While it’s easy to imagine an AI agent beating a human in terms of persistence, the ingenuity and instinct sometimes required to uncover a software security flaw are the result of years of experience probing and testing for signs of mistakes made by software developers. Which raises the question: can an AI know us better than we know ourselves?
Thankfully, the article concludes that rather than replacing pentesters, AI will be a very useful tool in the pentesters toolbox to automate tedious tasks, leaving humans to focus on the more high-brow tasks. It’s an interesting article and certainly worth a read!
Vulnerability: Broken API Authorization exposes Zitadel IAM
Zitadel is a popular open-source identity and access management solution. An authorization vulnerability was recently reported on 12 of the platform’s API endpoints used for administrative functions.
Insufficient authorization checks allowed users with standard, non administrative privileges to use administrator level functions, including the ability to modify LDAP authentication settings to disable security controls and takeover other accounts.
API vulnerabilities that allow unauthorized access to privileged functionality are common enough to rank fifth in the OWASP API Security Top 10 list: API5: Broken Functional Level Authorization.
Recommendations for prevention include denying access by default, and carefully implementing role-based access control. This is also the approach taken by the Zitadel team to address and resolve the API vulnerability.
Article: API Security and OpenBanking in APAC
Open Banking leverages APIs to enable third-party providers (TPPs) like fintechs, payment services, and other financial institutions to gain authorized access to a bank’s customer data and provide value-added services.
To underscore the important role of APIs in OpenBanking, it’s worth taking a look at the UK Open Banking website which shares statistics on monthly API traffic for Open Banking transactions. For example, the site states that 1.9 billion successful API calls were made in the UK in January 2025 alone (approximately 61 million API calls per day).
In Asia-Pacific, banks, payment gateways and fintechs also make extensive use of APIs as part of the expanding financial services ecosystem in the region. An article on The Register website discusses the challenges of securing a complex system consisting of thousands of interconnected APIs managed by many different API providers.
“The security of the ecosystem is only as strong as its weakest link”
The article suggests several essential API protection mechanisms to deploy to strengthen Open Banking systems:
- Enforce multi-factor authentication and object-level authorization on every API request
- Block malicious data and injection attacks with API input validation
- Validate API response data to prevent unauthorized data leaks
These are good recommendations for any API that provides access to private resources, as the same API vulnerabilities and attacks occur frequently across all industries that use APIs.
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy
