Issue 41: Tinder and Axway API Vulnerability, Equifax fined


This week, we take a look into API vulnerabilities found in Tinder and Axway SecureTransport. In other news,  FTC and Equifax have reached a settlement related to the 2017 breach, and the slides for an API security talk have been posted.

Vulnerability: Tinder

Sanskar Jethi has found that Tinder enforces their premium features (such as unblurred images of those who like you) to be available for premium membership only in the app, not in the API. Their API actually delivers regular, unblurred images to everyone.

This is a similar vulnerability to the one in Facebook Marketplace API that we have discussed earlier. Vendors need to treat their API features and API security as product features and security. Relying on just the application frontend and ignoring the expanded attack surface can bite you.

Vulnerability: Axway SecureTransport

Axway SecureTransport is a system for sharing, securing, managing, and tracking files. It is used by a variety of government and military organizations, as well as some large businesses.

This week, Dominik Penner reported a vulnerability in the password reset API of SecureTransport. The API does not require authentication and accepts XML payloads.

Dominic found that these XMLs can include Doctype and Entity elements. This opens the system up to various attacks, including denial of service (DoS) through entity expansion, server side request forgery (SSRF), and Document Type Definition (DTD) repurposing.

Price of API security flaws: Equifax

In 2017, Equifax was breached and private information of 147 million people got exposed. The breach started with unpatched Apache Struts exploit. The system was not enforcing formats on incoming API calls and specifically crafted Content-Type header allowed attackers to get in.

This week, a settlement between Equifax and FTC was announced. Equifax is set to pay up to $700 million in various fines and compensations.

Slides: Applying API Security at Scale

Isabelle Mauny published slides from her “Applying API Security at Scale” webinar with NordicAPIs. Here’s a quick summary of the contents:

  1. Know your APIs and risks
  2. Implementation principles
  3. Self-hacking
  4. Deployment principles
  5. Visibility
  6. Next steps
  7. Resources

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy