Issue 272: Volkswagen API hacked, API flaws in Instagram & Tiktok, ELi attacks, Radware & Cisco API vulnerabilities

This week, we’re sharing five API vulnerability incidents that provide valuable insights into how APIs are commonly hacked and how to prevent these same vulnerabilities in your APIs. These incidents include the exposure of vehicle owner data from Volkswagen’s mobile app, enumeration vulnerabilities in Instagram and Tiktok APIs, an in-depth look at expression language injection attacks, and cases of API vulnerabilities in Radware and Cisco platforms. 

Vulnerability: Volkswagen Authentication API Exposes OTP

A security researcher successfully hacked Volkswagen’s mobile app by launching a brute-force attack on an API used to validate a one-time password (OTP). Because the API was not protected by rate limiting, a hacker could send an unlimited number of requests to guess the correct 4-digit OTP code, circumventing the OTP security control for the mobile app to gain access to the target vehicle. 

Identifying this vulnerability prompted the researcher to investigate the other APIs used by the mobile app. The report also reveals:

• Sensitive data leaked in an API response, including plaintext passwords and secrets.
• Any vehicle’s detailed service history could be retrieved through an API request, requiring only the vehicle’s VIN (often publicly displayed on the windshield).
• The leaked service history data included personally identifiable information (PII) about the vehicle’s owner. 
• Telemetry data, driver credentials, and driver’s license numbers were also exposed via other APIs.

A previous Imperva report revealed that 44% of account takeover (ATO) attacks in 2024 targeted APIs. This finding is not surprising, as APIs are now widely used for authentication services, such as user credential validation and one-time password validation.

Network devices such as Gateways are often used to provide general protection against brute-force attacks, however Authentication APIs require more granular rate-limiting controls to protect against targeted API attacks.

Note that Volkswagen has now patched these vulnerabilities. 

Vulnerability: Users exposed by Instagram and Tiktok APIs 

Is your email address associated with an Instagram, Tiktok, or even a business account?

This type of information is valuable to threat actors, especially in bulk, where it can be used in mass credential stuffing or spear-phishing attacks. Returning to our previous topic on authentication APIs, a recent report highlights the use of malicious “checker” packages that automate requests to Instagram and Tiktok APIs to check which stolen email addresses were associated with an account on these platforms. 

A poorly designed authentication API can inadvertently reveal this information due to a discrepancy factor in the API’s response, such as the HTTP error code, the error message, or even the API’s response time.

HTTP 404 “account not found”  

HTTP 401 “invalid credentials”

These enumeration attacks are common enough that teams should pay attention to OWASP guidelines on authentication, which recommend APIs respond with a generic error message to avoid exposing a discrepancy factor that could be used to extract information about customers.

Vulnerability: API Expression Language Injection Attacks

Here’s another recent and interesting attack exploiting flaws in an API’s error response!

A watchTowr research team discovered an Expression Language Injection (ELi) vulnerability in the API of Ivanti’s mobile device management (MDM) product. The detailed report describes the team’s vulnerability discovery process, which I highly recommend if you’re technically inclined. 

My TL;DR version: the API unsafely handles malformed user input which is “evaluated” by the backend framework and returned in the error response. In the simplified example below, the user includes the arithmetic operation ‘7*7’ in the ‘format’ query parameter, and the API returns the calculated value ‘49’ in the error response.

Malicious API request:

GET /mifs/admin/rest/api/v2/featureusage?format=watchTowr%24%7b7*7%7d

Exploited API response:

"Format 'watchTowr49' is invalid. Valid formats are 'json', 'csv'."

This confirms that the API is vulnerable to ELi and could be exploited to execute malicious commands on the API server. 

This incident reminds API testers to be wary of APIs that include user input in the response, as they may be vulnerable to similar injection attacks. 

Developers can also avoid this vulnerability by designing APIs that return generic error responses to malformed or invalid user requests. 

Vulnerability: Malicious input bypasses Radware’s WAF 

Continuing on the topic of malicious user input, Radware’s Web Application Firewall (WAF) was found to be vulnerable to malformed input, either in the form of malicious payloads in GET requests, or by adding non-alphanumeric characters to bypass the WAF’s signature-based detection rules.  

“Notably, these flaws persist despite modern WAFs employing machine learning models for anomaly detection.”

This type of attack is commonly used by threat actors to automatically fuzz a web application or API with malformed input to detect any unexpected response from the target. An expected or undefined API response often reveals a vulnerability, such as a logic flaw or security misconfiguration, that can be further exploited. 

WAFs are useful in the web application space. However, APIs have an inherently larger attack surface than traditional web applications due to the numerous endpoints, data properties and parameters they expose. This can create blind spots for WAFs that weren’t designed for fine-grained API security. 

The report recommends implementing secondary input validation layers capable of blocking logically inconsistent traffic. In the API domain, a purpose-built schema or API contract validator can help to protect against these types of malicious input attacks.

Vulnerability: Cisco Platform API exposes privilege escalation flaw 

Finally, this week, further highlighting the importance of input validation for API security, a recent security advisory reports several vulnerabilities discovered in the Cisco Unified Intelligence Center platform, all due to “insufficient validation of user-supplied parameters in API requests”

All APIs require customized security because each has its own data properties and access control requirements. Most attacks against APIs are exploited via the API transaction, in the form of malicious request data or unenforced security controls, such as missing authentication or insufficient resource authorization (e.g. “this user is authorized to access this requested object”).

To be effective, API input validation must be fine-grained and enforce a data allowlist and security requirements tailored to the service provided by the API. This ensures that the API is designed to accept only valid requests and reject malicious or invalid requests by default.

---

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy

---