This week, we share API security incidents from across different industries, highlighting the common vulnerabilities that continue to surface, from government web portals and security platforms to industrial equipment, home devices, and even service robots at your local restaurant.
Vulnerability: Tax Records Leak with API IDOR Flaw
Researcher Aseem Shrey disclosed an Insecure Direct Object Reference (IDOR) vulnerability in India’s Goods and Services Tax portal that exposed sensitive taxpayer records. He noticed that the web portal retrieves tax payment data through an API request, and that the request includes a receipt ID.
This often prompts a hacker to check if by changing a resource ID value can they access other users’ information. The fact that BOLA/IDOR is at the top of the OWASP API Top 10 vulnerability list suggests the answer is often a resounding yes!
In this case,the API failed to verify that the current user is authorized to access a specific record, or object and so any user logged into the system could access any other tax payment record by simply changing the receipt ID. This single API flaw risked exposing financial information of 11.8 million Indian taxpayers and companies.
APIs handling sensitive records must enforce strict object-level authorization and avoid exposing predictable IDs to prevent this type of vulnerability. Read the report
Vulnerability: Fleet of Pedu Robots vulnerable to BOLA
Another BOLA flaw to report, this time in the robot management APIs for a large Chinese robotics vendor. You’ve probably seen similar robots serving food or drinks in restaurants. Now apparently they’re also deployed at hospitals, offices, and retail stores. All controlled by Skynet (just kidding).
A researcher demonstrated how API calls to control robots and change settings could be executed without proper authorization. While the APIs required an access token, no object-level checks were enforced. Once again, by manipulating identifiers in the payload, attackers could take remote control of robots they didn’t own, creating risks of physical harm, sabotage, or surveillance.
This highlights yet again why testing for BOLA vulnerabilities and enforcing strict object-level authorization must be a top priority for API teams. Read the report
Vulnerability: Layer 7 DoS Vulnerability in Hashicorp Vault
When people hear of Denial of service (DoS) attacks, they think of floods of traffic overwhelming a service. But APIs expose other ways for threat actors to knock out a service.
In August, Hashicorp Vault, a security platform for managing secrets and credentials, was itself found to be susceptible to a DoS attack when processing certain malformed API requests. Attackers could repeatedly trigger the issue to disrupt availability of the platform.
Hackers can use malformed payloads to exploit JSON processing with various tricks, using complex data structures, oversized strings, or patterns that overload server-side components.
Teams can mitigate the risk from application-layer (layer7) DoS attacks by enforcing strict request validation: limit payload size and complexity, reject undocumented properties, and constrain user-supplied input to only what the API actually needs. Read the article
Vulnerability: US Grocery Stores Vulnerable to API Attacks
Emphasizing again the importance of input validation, another report of multiple API vulnerabilities in Copeland refrigeration systems, including a layer 7 DoS vulnerability.
Copeland refrigerators are widely used in grocery stores across the U.S., and could be remotely controlled through APIs to change settings and temperatures, with obvious potential for disruption and damage.
One of the APIs lacked input validation, allowing the researchers to crash the service with a malformed API request and trigger a DoS attack. Other issues included excessive data exposure, where APIs returned sensitive information such as password hashes, and insecure endpoints that allowed remote activation of critical OS services like SSH and Shellinabox.
APIs are everywhere, but the same design flaws surface time and again. Broken object-level authorization and weak data validation remain among the most common and dangerous API vulnerabilities across industries. Read the article
Vulnerability: Privilege Escalation Flaw in Security Platform
Even security platforms can ship with serious API flaws. A recent report outlines multiple vulnerabilities in Securden’s Privilege Account Management (PAM) solution, exposing it to authorization bypass and, ironically, privilege escalation attacks.
One flaw stemmed from an endpoint that issued session cookies without requiring authentication. Those cookies could then be used to obtain a CSRF token and a secondary cookie, granting access to the API. Because the API failed to verify whether the cookies actually belonged to an authenticated user, attackers could bypass authentication altogether, demonstrating a case of broken authentication.
In another case, an API allowed unauthenticated users to invoke privileged admin services, including backing up encrypted passwords to an attacker-controlled location. This highlights the need for strict function-level authorization checks, ensuring only users with the right roles and permissions can access sensitive operations. Read the report
Vulnerability: Broken Auth Exposes ESPHome Devices
ESPHome, an open-source technology widely used for IoT automation, was found to contain an authentication bypass in its embedded web server. The flaw allowed attackers to send API requests without credentials and control connected devices, putting homes and offices at risk.
A review of the code change in the ESPHome project shows the issue originated from a logic error in the authenticate function. Instead of validating full credentials, the function based the validation process on the length of the user-supplied credential.
This meant an attacker could manipulate how the authenticate function works. In fact, by sending an empty Authorization: Basic header (so a length of zero), authentication was completely bypassed.
This case highlights the importance of pre-production security testing, particularly around authentication and authorization. Automated identity and access control scans can help catch subtle flaws like this before threat actors find them. Read the article
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy
