This week, our theme is “how secure is your API security?”. We highlight two recent attacks targeting major financial platforms, along with a new industry survey that exposes significant gaps in API security practices. We also explore technical deep-dives into vulnerabilities such as JWT flaws and host header injection attacks. Plus, we share details on an upcoming API security unconference happening this October in Stockholm.
Breach: Popular Indian Gold Trading Platform Hacked
A well-known digital platform for buying and selling gold in India has suffered a significant security breach, enabling attackers to gain unauthorized access to sell customers’ digital gold holdings. According to multiple Indian news outlets, this breach at Aditya Birla Capital Digital Limited (ABCD) was traced to vulnerabilities in the company’s APIs.
“This flaw allowed the hacker to bypass security protocols, access user accounts, sell their digital gold holdings, and transfer the proceeds to various personal bank accounts”
Although the latest reports haven’t yet shared specifics of the API vulnerability, they confirm that attackers managed to circumvent an additional layer of protection: a one-time password (OTP) sent to the target users’ registered device.
This detail is similar to a case we covered in issue 272 of APISecurity.io, where a vulnerability in Volkswagen’s API also exposed OTPs and compromised user data.
These breaches highlight that having security controls in place isn’t enough. Organizations must rigorously assess the strength, implementation, and reliability of those controls, as API attackers are increasingly targeting the weakest links in authentication and authorization flows.
Report: Critical API Security Gaps at 84% of Companies
A recent survey by Raidiam reveals critical deficiencies in API security across a range of organizations. The report evaluates each company’s API security posture relative to the sensitivity of the data their APIs expose, such as personal or payment-related information.
This survey focuses on companies that are not subject to strict regulatory frameworks like Open Banking. In other words, it spotlights how organizations manage API security when they’re left to define their own standards. While most companies had some API security controls in place, the findings are hardly encouraging:
- Widespread use of weak or insecure API authentication methods
- Lack of fine-grained authorization, leading to over-privileged access
- Insufficient or nonexistent API security testing
Of the 68 companies assessed, 57 (84%) were classified as needing to “Act Urgently”, meaning their current API security practices are inadequate for the sensitivity of the data they handle.
The survey results underscore our key question: how secure is your API security, really?
Vulnerability: Weak JWTs Expose the Manufacturing Sector
A report in SecurityWeek describes critical vulnerabilities in Microsens’s NMP Web+ product, used worldwide in the manufacturing sector. The vulnerabilities allowed unauthenticated attackers to forge JWTs and gain admin access. Among the issues: use of static JWT secrets and tokens with no expiration. These flaws enabled attackers to bypass authentication entirely and maintain indefinite access, making it a textbook example of how poor access token implementation can undermine an entire security model.
These types of JWT weaknesses are common targets for attackers. For instance, issue 274 detailed a similar case involving an unprotected payments API exposed through weak JWT validation (“Case Study: JWT Validation & Unauthorized Payments”).
API protection security policies should enforce robust JWT practices. At a minimum, ensure:
-
Secrets are rotated and never hardcoded.
-
Short-lived tokens with strict expiration are enforced.
-
All JWT claims and algorithms are validated.
- API Tokens and requests that fail any part of the policy are rejected outright.
Vulnerability: How to Avoid Password Reset Poisoning
Security researchers and ethical hackers provide a valuable service to the API community by uncovering real-world vulnerabilities and helping developers understand how to avoid them. On that note, this detailed report by researcher Pratik Dabhi is well worth a read.
Continuing our theme of “how secure is the security?”, Pratik explores flaws in password reset functionality. Most apps and websites offer this feature to help users safely recover access to an account. But as this case shows, a weak implementation can become a backdoor for attackers.
By probing the application and its related endpoints, Pratik discovered a way to manipulate the system into generating a malicious password reset link, using the host header in a request.
Input validation, especially for data-rich APIs, often focuses on validating request bodies or URL parameters, often used as a vehicle for injection attacks. But this case is a reminder that headers can also carry risk from malicious input, and so should be considered untrusted and carefully validated.
A great write-up that might encourage urgent code reviews and security testing!
Breach: API Drift with Malicious Intent for CoinMarketCap
When a third-party API changes unexpectedly, it can break consuming applications or websites relying on specific media types or response formats. But broken functionality will be the least of your concerns when API changes are driven by malicious intent.
A recent API incident involving the cryptocurrency group CoinMarketCap is a perfect example of the risks from unsafe API consumption, highlighted in OWASP API10:2023.
GBHackers reports that CoinMarketCap used an API to dynamically pull a doodle image for its homepage, but attackers modified the API response to serve a malicious JSON payload instead. The response included JavaScript that ended up embedded on the CoinMarketCap site, tricking users into sharing details about their crypto wallets.
This is one of many reasons why maintaining public documentation for an API has value both for API integration and security. If APIs are delivered along with well-maintained documentation, consumers can routinely test their dependency APIs for drift, which provides teams with an early warning of breaking changes or emerging vulnerabilities in dependency APIs and supply chains.
Industry Events: Nordic APIs Security Unconference, October 13
Coming in October, Nordic APIs will host an API Security UnConference in the beautiful city of Stockholm, covering topics like API access and identity management, OAuth and OpenID Connect, securing AI agents, governance and monitoring, documentation strategies, sector-specific standards, and more.
Unlike traditional conferences, the unconference format promotes open, participant-driven discussions, spontaneous idea-sharing and real-world problem-solving among peers.
Sounds like a great opportunity to connect with fellow API security professionals and dive deep into current challenges and solutions.
Check out the press release for more information about the event.
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy
