Issue 73: Up to 75% credential abuse attacks target APIs

This week, we check how Tinder’s API vulnerability has developed a life of its own, the latest statistics from Akamai on API security, the best current practices for JWT, and why API security needsย both API firewalls and API management, not just either or.

Vulnerability: Tinder

Back in July 2019, we covered the OWASP API3:2019 โ€” Excessive data exposure vulnerability in Tinder APIs. ย The premium features, such as unblurred images of those who like you, were not enforced on API-level. Thus, a suitable crafted request to the API could by-pass these restrictions.

Now, there’s a Reddit page with simple instructions and both Chrome and Firefox have extensions that exploit this flaw:

Your APIs are your interface. If there is information that you do not want to expose to users, do not expose it in APIs. It does not take long these days until someone figures out the data that you return or even makes it widely accessible โ€” like in this case.

Industry statistics: Akamai sees growth in API attacks

Akamai’s has published its “2020 State of the Internet / Security: Financial Services” report, and it includes some very interesting statistics:

  • From May 2019 and continuing on until the end of the year, there was a dramatic shift by criminals who started targeting APIs, in an effort to bypass security controls.

  • Up to 75% of all credential abuse attacks against the financial services industry targeted APIs directly.

  • On August 7, 2019, Akamai recorded the single largest credential stuffing attack against a financial services firm […] consisting of 55,141,782 malicious login attempts. This attack was a mix of API targeting, and other methodologies.

  • On August 25, in a separate incident, the criminals targeted APIs directly, in a run that consisted of more than 19 million credential abuse attacks.

(Quotes are from Akamai’s press release.)

Another clear example on how the predictions on the increased importance of API security are coming true. According to Gartner, by 2022 APIs will become the most common attack vector.

Standards: JWT Best Current Practices

JSON Web Token (JWT)ย  Best Current Practices are now an official BCP 225 & RFC 8725 document. Great work by Yaron Sheffer, Dick Hardt, and Mike Jones.

JWT is now the prevalent way of passing identity information in REST API calls. Thus, JWT security is paramount for REST security in general.

Quoting the RFC abstract:

“JSON Web Tokens, also known as JWT are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted. JWTs are being widely used and deployed as a simple security token format in numerous protocols and applications, both in the area of digital identity and in other application areas. This Best Current Practices document updates RFC 7519 to provide actionable guidance leading to secure implementation and deployment of JWTs.”

If you prefer watching a video to reading an RFC, check out the 3 recordings that we featured in our previous issue.

Opinion: API firewalls vs API management

Runtime API protection can be done with both API gateways and API firewalls.

As always in the industry, the terminology can be confusing and the lines can get blurry. Check out Isabelle Mauny’s (42Crunch) take on the two and why both have their place.

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy