Issue 74: Vulnerability in Login with Facebook, API security talks

This week, we check out how Facebook’s OAuth implementation in their social login feature left the access tokens vulnerable. We also have some statistics and predictions on the rise of API security, and recordings of a couple of more API security talks have been published.

Vulnerability: OAuth in Login with Facebook

Doing a bullet-proof OAuth implementation that works across multiple domains is not a trivial task to do. Amol Baikar found a flaw in Facebook’s OAuth implementation in the Login with Facebook feature.

An incorrectly configured API in Login with Facebook allowed attackers to lure users to a malicious website they controlled to steal users’ OAuth access tokens. This in turn could even lead to a full account takeover. Because of the nature of the feature, this could give the attackers access to multiple other third-party apps and services that used these access tokens.

The vulnerability was a combination of multiple factors including secondary unused endpoints, lack of security headers, lack of JavaScript function tampering protection, lack of regex validation, etc. See Amol’s writeup for details.

Facebook luckily fixed this vulnerability promptly, but it does show how important it is to pay extra attention to getting your authentication right.

Industry statistics: Rise of API security

National Cyber Security (NCS) has a useful summary of the latest statistics on the rise of API security. According to them:

  • API data breaches could represent more than 50% of records lost in the coming months and become the single largest vector of large-scale hacking. According to Verizonโ€™s 2019 Data Breach Incident Report, external hacking remained the largest threat actor (69%) and threat action (53%) respectively for data breaches reported last year. And the top threat vector successfully attacked was web applications, at approximately 67% of the time. APIs make large-scale attacks easier to automate and execute.
  • Shadow APIs continue to emerge as a new threat to cloud-first enterprises. Developers are spinning up APIs all the time and companies have little understanding of how many APIs they have, where, and who is responsible for them. According to the ESG Report on Security for DevOps, the top new investment that enterprises plan to make to secure cloud-native apps will be API Security (37% of all respondents marked this as the most important new control needed for cloud security).
  • Serverless continues to outpace Kubernetes and container usage. According to CB Insights, serverless is now the highest growth public cloud service ahead of containers, batch computing, machine learning and IoT services. Serverless spending is expected to reach $7.7 billion by 2021, up from $1.9 billion in 2016 with an estimated CAGR of 33%.
  • Fines from the California Consumer Privacy Act (CCPA, took effect January 1, 2020) are projected to rise over $200 million already during its first year.

Videos: APIs in gift card fraud

Tanay Deshmuck’s practical demo from the recent RSA conference on using APIs for gift card fraud has been published.

The 15-year-old shows how he uses Fiddler and OpenBullet to discover web and mobile APIs, and run credential stuffing attacks on them. The video also touches on SQL injections, ways to counter the attacks, as well as tooling.

Videos: API security concerns

The recording of Inon Shkedy’s talk “API Security Concerns” from Checkmarx meetup is also out. Shkedy’s talk covers, among other things:

  • API security challenges (authentication, authorization, leaking data, mass assignments, CSRF)
  • Discovering and mitigating issues
  • Lots of real-life examples
  • Pentesting tips

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy