Death by A Thousand Data Leaks: How APIs Overwhelm Security

Death by A Thousand Data Leaks: How APIs Overwhelm Security

Today’s attack surfaces are wider than ever, vulnerabilities seeping out from apps and inhabiting the flexible Application Programming Interfaces that keep the tech world turning.

Unfortunately, while most are aware of the traditional web app threats, APIs remain a murky area of security. Today’s gargantuan threat landscape demands a competent cloud WAF and even investment into WAAP.

What is an API?

APIs are the glue that keeps the modern browsing experience together. APIs simplify software use and development by allowing individual web apps to exchange data. Making a request to a server via an app is nowadays handled by a relevant API, thanks to the fact that properly-implemented APIs are very secure.

Instead of the server being directly exposed to your information, your device and the relevant API should share small packets of data, only communicating what’s necessary.

Agile and API: Security Double-Trouble

Agile is the business buzzword of yesteryear – it describes a form of production that amplifies the entrepreneurial idea of ‘minimum viable product’. Agile’s goal is to push out the minimum product at each stage; instead of ever calling a product ‘finished’, it is merely looped into yet another round of patching bug fixing and improvements.

Though this perpetual patching seems fantastic for security (constant software support? Nice!) The economic reality of software production means that the quantity of APIs quickly becomes unwieldy.

As development teams move rapidly, APIs are rarely comprehensively documented. This makes it incredibly hard to peer into an app’s internal mechanisms and understand which APIs do what. It also makes security infinitely more difficult, as development teams themselves do not know the true size of their API inventory. This places cybersecurity as a low priority; always reactive and never proactive.

Overlooked APIs

When app security is mentioned, the first thing that comes to mind are the security heavyweights. Attacks such as cross-site-scripting; SQL injection, and DDoS attacks are all incredibly well-known. The apps themselves are often guarded well by plug-and-play solutions such as perimeter-patrolling Web Application Firewalls.

Little attention is ever paid to APIs, much to the detriment of oblivious organization and their clients. Take the example of an API vulnerability that cropped up in Uber’s system.

When an Uber driver joins Uber via a referral link, they boot up the app and input the referral code. Upon pressing the enter button, the app browser communicates with the API host  “bonjour.uber.com”. From there, bonjour.uber receives the User ID parameter and returns details about the driver back to the user’s app, ready to input into the following consent screen.

However, this one API was found guilty of two major security breaches. The first was Broken Object Level Authorization (BOLA). The API didn’t check that the user’s ID matched their ID parameter; it was therefore possible to access the data of other users by simply changing the user ID.

The second issue was excessive data exposure. The API’s response – to return user details – bundled all that info into one batch, containing every one of the user’s details. This meant the API returned information that the client didn’t explicitly need, violating a major pillar of cybersecurity best practice.

Now consider that the average organization relies on over 15,500 APIs, and the scale of risk starts to appear. Thankfully, the Uber API was plugged before any major damage occurred; the following company wasn’t quite as lucky.

The Peloton Problem

Peloton’s at-home fitness brand is enjoyed by over 3 million subscribers. Live fitness classes are a major selling point, though if you’re not willing to share your medical data with other class attendees then it’s possible to set your peloton account to private.

Unfortunately, a number of API vulnerabilities saw the exposure of this data to unauthorized users. Information of class attendees could be scraped on a large scale, as one API endpoint failed to validate a requesting user. This allowed unauthorized attackers to gain the username, location, workout ID, gender and age of Peloton users.

APIs have been the cause of high-profile data leaks for years. Facebook’s constant data scandals throughout 2018 and 2019 saw one breach occur after another, primarily through third-party developer APIs. One example was the Groups API; developers working on a B2B social media management app could freely access the names and more personal information of group members. Though this social media management app was meant to aid group admins in managing their groups more effectively, Facebook had to remove it and its API.

These data scandals culminated in 2021, when a black market database of over 533 million Facebook users had their names, phone numbers and Facebook user IDs leaked.

Preventing API Leakage

The Open Web Application Security Project (OWASP) regularly publishes the most severe and widespread web app vulnerabilities to keep an eye on. The mounting security threat represented by APIs is severe enough to warrant its own OWASP top-ten list, which is consistently topped by Broken Object Level Authorization.

Thankfully, protecting your APIs – outside of demanding a slower development cycle – tracks closely with securing your overall organization as a whole. Your first point of call would be a decent Web Application Firewall (WAF). This solution monitors the perimeters of your apps, preventing API gateways from being exploited by major vulnerabilities.

Web Application and API Protection (WAAP) takes things a step further. It sits entirely at the public-facing boundary of an app, analyzing all incoming traffic.  By monitoring patterns of legitimate traffic and requests, WAAPs are highly specialized security tools specifically designed to protect APIs.

Whereas WAAP is an endpoint-level defensive system, Runtime Application Self Protection (RASP) solutions wrap around specific web apps. A RASP solution – distinct from WAF – also has insight into the internal workings and behaviors of its application. This way, should an API be used as a foothold in an attack, and queried for more information than should feasibly be so, a RASP can shut down an attack proactively.

With a myriad of API protection options available, securing your apps and your organization has never been easier.

John Norwood
John Norwood is best known as a technology journalist, currently at Ziddu where he focuses on tech startups, companies, and products.