This week, we look into a vulnerability in Microsoft Azure OAuth implementation that could have lead to take-over of Azure accounts. In addition, we take a look at the security in the shopping apps on mobile phones and 5G networks.
In other news, the recording of our OWASP API Security Top 10 webinar is now available and we have a follow-up session coming up.
Vulnerability: Microsoft Azure authentication
Microsoft Azure accounts were vulnerable to takeover due to a vulnerability in their OAuth2 implementation.
Omer Tsarfati and his team from CyberArk found that some of the reply URLs (redirect_uri) that the implementation trusted used wildcards and included domains and sub-domains available for registering. If attackers registered such a domain, they could use it to steal access tokens. In the worst case, this could compromise the whole Azure environment of the user under attack.
Properly implemented, OAuth 2.0 is a great way to provide delegated security for APIs. However, as this case shows, not paying proper attention to the implementation can wreck it all while lulling you into a false sense of security. Wildcards are evil and you should be very careful to only trust domains under your control.
State of security: API flaws in mobile apps
Mobile security vendor Zimperium analyzed the top 30 shopping apps from both Apple and Google app stores. The results paint a bleak picture of their security.
A lot of the discovered flaws are API-related:
- Apps accepting unencrypted HTTP traffic,
- Using outdated TLS versions,
- Overriding SSL/TLS chain validation,
- Using SSL CN with no validation.
API security should be as much built in during the design time of apps, not applied as an afterthought, if at all.
Threat Landscape: 5G
The 5G technology is based on REST API architecture, and thus API security is the key for 5G network security.
The EU Agency for Cybersecurity (ENISA) has published its 5G Networks Threat Landscape whitepaper. It looks into:
- The core threats,
- Edge gateways,
- Threats in virtualization,
- Recommended mitigation options for these.
Webinars
A couple weeks ago, we hadย the webinar on OWASP API Security Top 10. The recording is now available on the webinar page.
Next Thursday, December 12, there is a natural follow-up session Positive Security for APIs by Isabelle Mauny. This webinar covers practical steps that you can take to mitigate some of the vulnerabilities discussed in the previous webinar.
Positive security (aka whitelisting) is a powerful approach to protecting your APIs against the OWASP API security vulnerabilities A3, A6, and A8. The webinar will cover what positive security is, why it matters, and how to implement it.
Interested? Click the link to webinar and register to claim your spot.
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy
