This week, weâre sharing five API vulnerability incidents that provide valuable insights into how APIs are commonly hacked and how to prevent these same vulnerabilities in your APIs. These incidents include the exposure of vehicle owner data from Volkswagen’s mobile app, enumeration vulnerabilities in Instagram and Tiktok APIs, an in-depth look at expression language injection attacks, and cases of API vulnerabilities in Radware and Cisco platforms.Â
Vulnerability: Volkswagen Authentication API Exposes OTP
A security researcher successfully hacked Volkswagenâs mobile app by launching a brute-force attack on an API used to validate a one-time password (OTP). Because the API was not protected by rate limiting, a hacker could send an unlimited number of requests to guess the correct 4-digit OTP code, circumventing the OTP security control for the mobile app to gain access to the target vehicle.Â
Identifying this vulnerability prompted the researcher to investigate the other APIs used by the mobile app. The report also reveals:
- Sensitive data leaked in an API response, including plaintext passwords and secrets.
- Any vehicle’s detailed service history could be retrieved through an API request, requiring only the vehicle’s VIN (often publicly displayed on the windshield).
- The leaked service history data included personally identifiable information (PII) about the vehicle’s owner.Â
- Telemetry data, driver credentials, and driver’s license numbers were also exposed via other APIs.
A previous Imperva report revealed that 44% of account takeover (ATO) attacks in 2024 targeted APIs. This finding is not surprising, as APIs are now widely used for authentication services, such as user credential validation and one-time password validation.
Network devices such as Gateways are often used to provide general protection against brute-force attacks, however Authentication APIs require more granular rate-limiting controls to protect against targeted API attacks.
Note that Volkswagen has now patched these vulnerabilities.Â
Vulnerability: Users exposed by Instagram and Tiktok APIsÂ
Is your email address associated with an Instagram, Tiktok, or even a business account?
This type of information is valuable to threat actors, especially in bulk, where it can be used in mass credential stuffing or spear-phishing attacks. Returning to our previous topic on authentication APIs, a recent report highlights the use of malicious âcheckerâ packages that automate requests to Instagram and Tiktok APIs to check which stolen email addresses were associated with an account on these platforms.Â
A poorly designed authentication API can inadvertently reveal this information due to a discrepancy factor in the APIâs response, such as the HTTP error code, the error message, or even the APIâs response time.
HTTP 404 âaccount not foundâ Â
HTTP 401 âinvalid credentialsâ
These enumeration attacks are common enough that teams should pay attention to OWASP guidelines on authentication, which recommend APIs respond with a generic error message to avoid exposing a discrepancy factor that could be used to extract information about customers.
Vulnerability: API Expression Language Injection Attacks
Hereâs another recent and interesting attack exploiting flaws in an APIâs error response!
A watchTowr research team discovered an Expression Language Injection (ELi) vulnerability in the API of Ivantiâs mobile device management (MDM) product. The detailed report describes the team’s vulnerability discovery process, which I highly recommend if youâre technically inclined.Â
My TL;DR version: the API unsafely handles malformed user input which is âevaluatedâ by the backend framework and returned in the error response. In the simplified example below, the user includes the arithmetic operation â7*7â in the âformatâ query parameter, and the API returns the calculated value â49â in the error response.
Malicious API request:
GET /mifs/admin/rest/api/v2/featureusage?format=watchTowr%24%7b7*7%7d
Exploited API response:
"Format 'watchTowr49' is invalid. Valid formats are 'json', 'csv'."
This confirms that the API is vulnerable to ELi and could be exploited to execute malicious commands on the API server.Â
This incident reminds API testers to be wary of APIs that include user input in the response, as they may be vulnerable to similar injection attacks.Â
Developers can also avoid this vulnerability by designing APIs that return generic error responses to malformed or invalid user requests.Â
Vulnerability: Malicious input bypasses Radwareâs WAFÂ
Continuing on the topic of malicious user input, Radware’s Web Application Firewall (WAF) was found to be vulnerable to malformed input, either in the form of malicious payloads in GET requests, or by adding non-alphanumeric characters to bypass the WAFâs signature-based detection rules. Â
âNotably, these flaws persist despite modern WAFs employing machine learning models for anomaly detection.â
This type of attack is commonly used by threat actors to automatically fuzz a web application or API with malformed input to detect any unexpected response from the target. An expected or undefined API response often reveals a vulnerability, such as a logic flaw or security misconfiguration, that can be further exploited.Â
WAFs are useful in the web application space. However, APIs have an inherently larger attack surface than traditional web applications due to the numerous endpoints, data properties and parameters they expose. This can create blind spots for WAFs that werenât designed for fine-grained API security.Â
The report recommends implementing secondary input validation layers capable of blocking logically inconsistent traffic. In the API domain, a purpose-built schema or API contract validator can help to protect against these types of malicious input attacks.
Vulnerability: Cisco Platform API exposes privilege escalation flawÂ
Finally, this week, further highlighting the importance of input validation for API security, a recent security advisory reports several vulnerabilities discovered in the Cisco Unified Intelligence Center platform, all due to âinsufficient validation of user-supplied parameters in API requestsâ
All APIs require customized security because each has its own data properties and access control requirements. Most attacks against APIs are exploited via the API transaction, in the form of malicious request data or unenforced security controls, such as missing authentication or insufficient resource authorization (e.g. âthis user is authorized to access this requested objectâ).
To be effective, API input validation must be fine-grained and enforce a data allowlist and security requirements tailored to the service provided by the API. This ensures that the API is designed to accept only valid requests and reject malicious or invalid requests by default.
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy