Think of a world in which a fridge is connected to the internet. Well, it doesn’t require much thinking since smart fridges are a reality. The world today is becoming more digitized and connected every passing hour. And to fit into this world, APIs have had to evolve as well. They’ve come a long way from being used only on secure private networks. These days, APIs have become vital to enterprises. They help facilitate communication of various components inside an internal system with each other and with the outside world. Therefore, APIs can prove to be a direct gateway from the outside to a company’s internal system enabling access to critical data. This is precisely why their security is crucial.
3 notable API breaches
The largest Indian classifieds search engine was subject to a major security breach in early 2019. The company was accused of leaking private and personally identifiable data of its entire database – over 100 million users. The reason for this breach was a malfunctioning API with no encryption that was publicly accessible. This enabled anyone to access any and all data they desired. In addition to this, it was found that there was a chink in JustDial’s API that exposed the database of individuals who posted reviews on the platform. All of the exposed data was being collected in real-time from a production server. Luckily for JustDial, this was only a breach by a security researcher and not from a malicious actor or the consequences would have been dire.
In August of 2018, telecommunications mammoth T-mobile was hacked which led to the personal information of over 2 billion of their customers being stolen. This included sensitive information of former, current and potential customers as well. The attackers targeted a leaky API with a configuration issue that made it publicly available to be accessed without any authorization or encryption. This enabled them to enter the internal network and access the entire operating system. Although the company was able to warn its customers and shut down the attack swiftly, the hackers attempted to monetize all the stolen data.
The social media giant has had its fair share of security breaches over the past few years. In 2018, Facebook was subjected to two security breaches due to issues with its APIs. In the first breach, cybercriminals exploited a vulnerability in Facebook’s developer API that enabled them to access the personal data of millions of users. The “view as” feature that enables users to view their profile as someone else had a bug that generated an access token. The access token was created using the credentials of the person who the profile page was being viewed as. When the token was acquired, a hacker could seamlessly log in to the account of the other person. This acquisition also enabled hackers to access any websites that were logged into using Facebook.
In the second breach, a photo API bug exposed the private data of over 6 million users. The API bug was in the Facebook login that granted permission to third-party developers and applications to access photos shared with the platform. Usually, when a person grants permission to an app to access their pictures on Facebook, the app can only access pictures shared on the timeline. But due to the bug, apps could also access other photos as well as photos that weren’t even uploaded. Developers were also able to retain access to these pictures even after access was ended.
How to be Immune to API attacks
Inventory your APIs
Irrespective of how many publicly accessible APIs an organization has, it needs to conduct regular perimeter scans on them and register them. This helps authenticate and authorize all APIs and discard the ones that don’t have new security measures implemented in them.
Don’t expose more data than necessary
Some APIs reveal too much unnecessary information about their endpoints. Or they contain information not meant to be shared like keys, passwords etc. All this extra or sensitive information should be removed before an API is made public. This can be done by integrating scanning tools into the DevSecOps processes. It can also be done by ensuring that APIs return only the information necessary to fulfil their function.
Use strong authentication solutions
It is important to control and monitor the access to APIs as they provide an entry point into any company’s database. Poor authentication solutions lead to authentication factors that can be broken into easily. Using trusted mechanisms like OAuth2.0 is key to securing your API.
Use rate limiting
Setting particular rate limits will help manage network traffic that will make it easier to regulate user connections. It will help prevent denial-of-service attacks and increase the overall performance and security of the API.
Make “least privilege” your motto
The principle of least privilege dictates that a subject (users, processes, systems) be given the minimum level of access or permission required to perform their job or function. This fundamental security principle should be religiously followed.
With so much of the world connecting with APIs, they have increasingly become the most targeted attack vector. And in conditions like these, not having a security-first mindset is almost criminal. Irrespective of the number of APIs an organization has made public, it is essential to establish strong API security practices. As the app development methods evolve constantly, it is important that security measures keep up with them.
If you have questions related to this topic, feel free to book a meeting with one of our solutions experts, mail to firstname.lastname@example.org.