Issue 38: Cracked smartlocks, X-Frame-Options, standards gaining adoption

This week, we have seen some major adoption milestones for the OpenAPI and the DNS over HTTPS standards, we discuss the way to go about with TLS pinning and the X-Frame-Options header, some not-so-smart locks, and the updated API security tooling from 42Crunch.

Vulnerabilities: Ultraloq smartlocks

Ultraloq smartlocks come with a mobile app, and its APIs have now proven to be vulnerable. The APIs had no authentication or authorization in place, and they used base64 encoding instead of encryption. In addition to that, the user IDs were susceptible to enumeration.

Attackers could enumerate all users and their locks, get the physical PIN codes of each lock and change them, and get the BLE keys for the lock’s Bluetooth commands. Armed with that information, the attackers could take control of the lock. They could control the locks and lock the owners out, both with the physical number codes and Bluetooth commands.

Standards: OpenAPI Specification v3

OpenAPI Specification (OAS) is the industry standard for machine-readable REST API contracts. The standard is backed by 35 companies under a Linux Foundation project.

The UK Open Standards board now officially recommends that government organisations use OAS version 3 to describe RESTful APIs.

Standards: DNS over HTTPS

Google graduates their public DNS over HTTPS (DoH) service with full support for RFC 8484.

Using DoH is highly recommended and helps developers fight man-in-the-middle attacks.

Best practices: TLS certificate pinning

TLS certificate pinning can help further improve your API protection against man-in-the-middle attacks. If you need a quick introduction on that technology, see the recent article by Sam Bocetta at AT&T Cybersecurity.

Best practices: X-FRAME-OPTIONS headers

You can (and should!) use the X-Frame-Options HTTP response header to block the browser from using the output of your API in the frame , iframe , embed or object element on a page.

If you have any doubts about that, read this brilliant write-up by Inti De Ceukelaire. He used an API from a password management solution that did not have this header set to launch very effective phishing attacks.

Tools: 42Crunch API security

42Crunch Platform enables security by design from API development, to testing, to protection in production use.

Last week, the company released an updated version of their SaaS platform. The improvements include enhancements in static security audit and dynamic scan reports, user and token management,  and support for DevSecOps support.

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy