This week, we discuss API vulnerabilities in TP-Link Wi-Fi extenders, Amcrest cameras, Venmo transaction feed, and GateHub cryptocurrency wallet. We also take a look at the API security aspects of microservices architectures.
Vulnerabilities: TP-Link Wi-Fi extenders
TP-Link Wi-Fi extenders are a popular way to get a better Wi-Fi coverage in houses and other spaces. Unfortunately, this week some of them got hacked through remote API calls that allowed complete device take-over.
The attack was accomplished by sending HTTP requests with specifically crafted
User-Agent header. Just like with classical SQL injections, attackers included special characters that made the devices execute the code after these characters as local system commands. The API endpoint processes on the devices were executed with root (administrative) privilege, opening limitless opportunities for attackers.
Advice to vendors:
- Define and enforce limits and patterns on all incoming and outgoing data (headers, parameters, or payloads) to make sure that your API never receives any unexpected data.
- Use accounts with minimal permission levels.
The popular consumer payment app keeps having their transaction data leaking. This week, a researcher published 7 million financial transactions made by Venmo users.
The problem lies in the API that Venmo exposes so its app can show a feed of transactions that users’ friends are making. While this social aspect is a part of the experience that Venmo has created on purpose, there was no design reason for anyone to be able to invoke the API directly, outside of the Venmo app.
When notified of the issue about a year ago (when 207 mln transactions leaked), Venmo tried to mitigate the issue by simply limiting the maximum API invocation rate to 40 calls per minute. Now Dan Salmon simply created a script that operated within that limit and downloaded the 7 mln transactions over a span of few months.
Recommendation to vendors:
- Ensure that your APIs can only be invoked by clients that need to invoke them (for example, your mobile app).
- Always protect APIs with proper authentication and authorization.
- Ensure that automated enumeration of records for bulk downloads is not possible.
- Set up monitoring and reporting to detect bulk activity.
Vulnerabilities: Amcrest HDSeries cameras
Amcrest HDSeries cameras are popular, inexpensive consumer Wi-Fi security cameras. This week, a vulnerability has been disclosed that allows attackers to take complete control of the camera.
One of the flaws was that each camera stored the administrative credentials in cleartext in a specific location on the camera. Anyone who knew the location could download the credentials simply using the corresponding URL.
The most severe issue (10/10 in the Common Vulnerability Scoring System (CVSS) rating) was an API vulnerability allowing the complete remote camera take-over:
- All camera management functionality is available through the API powering the mobile and web-app interfaces.
- The API requires authentication with username and password. The credentials are expected to be sent base64-encoded in one of the HTTP headers in the API calls.
- Unfortunately, the header length was not limited in the API implementation. Attackers could simply send a string of 1,024 characters to cause an overflow in the authentication check, and gain control over the camera without the credentials. The following article in API Security Encyclopedia covers this scenario: String parameter has no maximum length defined.
To make matters worse, all cameras could be located with the Shodan search engine, aggravating the problems.
To avoid such vulnerabilities in your APIs, make sure that:
- No devices can access data or files outside protected APIs.
- Avoid making devices searchable on search engines on the internet.
- Use security best practices for authentication.
- Define and enforce limits on all incoming and outgoing data: headers, parameters, payloads.
The issue was reported by Mandar Satam from Synopsis.
GateHub cryptocurrency wallets got hacked through APIs, and the attackers stole approximately $9.5 mln worth of cryptocurrency! This is one of those cases where the consequences of the API breach are very tangible and immediately apparent. Unfortunately, GateHub did not provide details on the vulnerability beyond stating that APIs had been protected with authentication.
Too many companies still assume that API security is simply authentication. They rely on some sort of API management or API gateway solution to provide authentication, and are lulled into a false sense of security that can lead to a failure similar to the one that GateHub experienced. There is a lot more to API security than just authentication, like input and output validation, integrity, confidentiality, availability, authorization, audit, non-repudiation — and none of the aspects can be ignored.
Analysts: API security and microservices
KuppingerCole analyst, Alexei Balaganski, has published a post “API Security in Microservices Architectures“. The main points include:
- The new tools and technology that microservices architectures rely on bring new security challenges and require new skills.
- APIs are the most critical attack vector in microservices architectures.
- Many businesses keep underestimating API security and hoping that legacy technology like web application firewalls (WAF) or API gateways can help.
- Key challenges for API security in microservices architecture:
- Scale: the exponential growth in communications through APIs between hundreds of microservices
- Ephemeral endpoints: they get dynamically spun up and shut down
- Diverse technology: programming languages, frameworks, authentication, authorization
- Networking: isolation, segmentation, traffic encryption.
- Recommended solutions:
- Design a strategy that covers the whole API lifecycle.
- Perform proactive security assessment of each microservice.
- Protect each microservice with individual micro API firewall.
- Consider Secure Production Identity Framework for Everyone (SPIFFE) and service meshes.
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy