Issue 4: Remini hacked, perils of free APIs, TLS explained, ATMs & SWIFT get APIs
Remini, a mobile app that schools use to communicate with parents, had kids’ profiles including pictures, email addresses, phone numbers, and milestones accidentally publicly exposed through an API. No authentication was required, because developers assumed that only their mobile app knows that the API exists, and account IDs used were sequential, so hackers could simply iterate on them to get all the records.
A good story on the perils of using free public APIs and scripts. Various sites embedded a Twitter counter script that was hosted by its creator in an AWS S3 bucket. The owner decided to discontinue the script and removed the S3 bucket. Hackers created a new S3 bucket with the exact same name, and all the sites that were still using the script ended up downloading and executing a new, malicious script on their pages.
Technology Deep Dive
A very cool TLS illustration and demo by Michael Driscoll shows and explains the TLS protocol step by step: how a client connects to a server, negotiates a TLS 1.2 session, sends a “ping”, receives a “pong”, and terminates the session.
Mobile app security vendor Data Theorem is adding API discovery and security analysis tools.
ATMs are also getting standardized APIs: “The ATM Industry Association has launched the next-gen API app model for ATMs.” The industry install base is 3.2+ million ATMs, and the consortium includes 180+ global ATM companies. The site has the blueprint of the next generation architecture, but the actual API is not yet finalized and published.
A new whitepaper on APIs in financial industry published by SWIFT, announcing plans to deliver a common API platform that includes identity management, financial crime compliance, reference data, global payments innovation (gpi), business intelligence, and API marketplace.
An interview with Anand Prakash, the founder of AppSecure and a bounty hunter that has found a lot of vulnerabilities in Facebook, Twitter, Uber, to name but a few. Lots of companies, including crypto exchanges, concentrate on protecting their UIs with passwords or two-factor authentication while forgetting to properly secure their APIs.