Issue 8: USPS API broken, APIdays, ETSI downgrades TLS
United States Postal Service (USPS) just fixed an API vulnerability. The vulnerability seems to have been a combination of:
- Developers not expecting outsiders to bypass the web page and use the API directly
- Insecure Direct Object Reference (IDOR), authenticating as one user and getting data of another user
- Leaky API where wildcards were not blocked in parameters
In Europe, the city of York, UK, had to shut down their mobile app, One Planet, due to an API vulnerability. The vulnerability allowed researchers to download data of all of the app’s 5,994 users, such as names, home addresses, postcodes, emails, telephone numbers, and encrypted passwords.
APIdays is the world’s leading API conference, and the Paris event is scheduled on December 11-12, 2018. The agenda includes quite a few security-related talks as well. If you are around and don’t have a ticket yet, 42Crunch is giving away free passes to the conference.
The “Dynamic Web and Mobile Application Development” guide newly published by DZone includes a section on API Token Management Security by Isabelle Mauny that takes a look at the best practices from the API perspective concerning, for example, obtaining tokens and keys, token management, OAuth, and JWT.
The European Telecommunications Standards Institute (ETSI) proposed their variation of TLS 1.3 called eTLS and it looks quite bad: it removes the full forward secrecy, and thus potentially enables eavesdropping by telcos and companies, as well as man-in-the-middle attacks.