This week, we take a look at API vulnerabilities at NVIDIA and Supra, an OpenAPI extension for Visual Studio Code, and an upcoming API security webinar from NordicAPIs.
Vulnerabilities: NVIDIA GeForce Experience
NVIDIA GeForce Experience (GFE) is a supplementary application that users install with other NVIDIA products to “capture and share videos, screenshots, and livestreams with friends, and keep your drivers up to date and optimize your game settings.”
This week, GFE suffered an API vulnerability that allowed arbitrary remote command execution.
GFE starts a local API server that allows Cross-Origin Resource Sharing (CORS) from any origin. This makes it possible to send requests from a website that the attacker controls. It also had a
POST operation that fed the payload directly into the OS execution.
Be mindful to only allow calls from the origin they are supposed to come, and always lock down and sanitize your inputs.
Vulnerabilities: Supra TV
Supra Smart Cloud TV API vulnerability allows attackers to hijack TV-sets and make them stream content from an arbitrary URL. It is a classic case of security by obscurity. Each device has an undocumented, unprotected API that attackers may use to supply a URL of the content to be streamed. No authentication is required.
To take advantage of the vulnerability, the attacker must access the TV from the network, for example, through a vulnerability in the home router.
Remember: even if your API is meant for internal use only, and you do not promote its existence, you still need to secure it. Otherwise, it is only a matter of time before someone finds it and exploits it.
Tools: Visual Studio OpenAPI Extension
Visual Studio Code (VS Code) is a popular open-source integrated developer environment (IDE) from Microsoft.
There is now a new VS Code extension that makes it much easier to create new OpenAPI (formerly Swagger) files, and navigate and edit them. The extension adds API templates, navigation within the API definition, code snippets, schema validation, and IntelliSense for OpenAPI to the editor.
Events: APISecurity Webcast from NordicAPIs
Next Wednesday, June 19th 7:00 am PST, NordicAPIs is hosting a livecast on API security with Daniel Lindau, Isabelle Mauny, and Bill Doerrfeld.
“Discover cutting-edge techniques deployed by modern organizations to both secure and scale their APIs. By automating the bug discovery process and standardizing how identity control, API developers are now prepared to better secure everything from microservices to Kubernetes clusters.
For this LiveCast, we’re devoting an hour to API security! Featuring community experts and their knowledge of new, advanced best practices for scaling API security.”
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy