As APIs become one of the most critical components of the software supply chain, misconfigured APIs are opening the door to cloud breaches and other security incidents. API security strategies must be on your list of top cybersecurity initiatives. Many organizations are one misconfigured API away from a major breach.
How Threat Actors Leverage Misconfigured APIs
There is a thriving market on the dark web for cloud access credentials. Hackers are highly motivated to obtain and sell these assets. They hunt for misconfigured APIs that will easily give up access to their desired target.
Issues with passwords and policies are an easy way to gain entry.
“Leaky APIs” are another method of access. These APIs require only minimal information to authenticate and will return sensitive, personally-identifiable information in exchange.
Consumer credit bureau Experian exposed the credit scores of most Americans due to a leaky API. A security researcher uncovered the issue when he entered publicly available information about himself (name, address, and date of birth) into a lender’s website. The lender site used an Experian API to automate the query from the lender. Upon examining the code on the page, the researcher was able to see his credit score because the API did not require any sort of authentication.
What Types of Malicious Activity Happens Via Misconfigured APIs?
The top forms of malware that occur via bad APIs are similar to many other breaches: cryptojacking and ransomware. These often occur when a misconfigured API is used to breach cloud services.
Most other API-related breaches involve data scraping. In the case of the 2021 Parler leak, broken user authentication on public APIs and a failure to regularly purge user data made it easy for activists to scrape data. Parler developers also misconfigured multi-factor authentication and used predictable content IDs. As a result, roughly 70TB of users’ messages, videos, and posts were made public. Apple and Google removed the site’s app from their stores, and Amazon Web Services canceled hosting.
LinkedIn was involved in a disputed API data scraping incident in 2021. Data on 700 million users was gathered. The platform argues that since the data was public, the incident should not be considered a breach. But the scrape collated data in such a way that made it useful for hackers attempting password stuffing and brute force attacks.
Following the incident, posts on the dark web offered LinkedIn profiles for sale for $5,000. The profiles were found to contain full names, LinkedIn user names and profile URLs, email addresses, phone numbers, physical addresses, geolocation records, gender, and usernames for other social media accounts.
How to Prepare for API Security Incidents
As with all cybersecurity vulnerabilities, the best way to guard against API issues is to harden systems and remember to patch, patch, patch. If there is a patch, patch it!
Technology researchers and consultants suggest adding a distinct pillar of security that is dedicated to APIs. They should not be lumped into another category. Remember that APIs are often facades for legacy systems that were never designed to be online. This API-enablement of legacy systems presents an increased attack surface with a set of risk factors that need to be carefully scrutinized in a risk assessment or pen test.
APIs should also be treated like software with a distinct life cycle that is maintained accordingly.
Other ways to prepare for cloud breaches that arrive via APIs include using OAuth and tokens; encrypting data; and adopting a Zero Trust Model, especially with remote users.
Finally, consider using rate limiting and throttling to avoid DDoS attacks via API.
Develop a Strategy
An API security strategy must be included in your overall cybersecurity initiatives. APIs are a critical component of most systems, and attackers are always finding new ways to exploit any tool that is widely used. API abuses have become one of the most frequent attack vectors. Don’t become a victim.