We encounter Application Programming Interface (API) every day, and we don’t even realize it. Often when creating their web page, companies use ready-made solutions that are already on the market. Most modern sites implement at least a few third-party APIs. How does this work for the average user? For example, purchasing on the Internet, as soon as we click the “pay” button, the site connects us to the payment system. This payment goes through a third-party API. In simple words, the application programming interface helps the two programs exchange information and perform certain functions.
Judging by the number of incidents related to the API, it is high time for companies to care about the security of the data transferred through it. Let’s look at the top 10 causes of API vulnerabilities:
- Google Analytics API as an attack vector.
There is such a tool as Content Security Policy (CSP). It is used to protect web applications from client-side vulnerabilities and Magecart attacks. The thing is that CSP is not fully compatible with Google Analytics API. But since Google Analytics is widely used on websites to collect statistics and data to make business decisions, its domain is usually placed on the list of allowed CSPs. That opens up opportunities for cybercriminals. Conclusion: you should always consider the risks of using a third-party API.
- Disadvantages of the YouTube API.
When uploading videos to Video Builder, the tool showed a list of account channels and let the user choose the right one. If you used the API directly to send a channel ID that didn’t belong to you, you could upload the video under a different user. YouTube didn’t check the permissions and uploaded the video to the selected channel.
- Twitter API bug.
Publishing a tweet in a Fleet post allows you to share content that will disappear after 24 hours. At least that’s what everyone thought. These posts were filtered out at the UI level. When an expired API Fleet was accessed, notifications were not sent to the owners, leaving them in the dark.
- Multiple vulnerabilities in Tesla Backup Gateway APIs
The Tesla Backup Gateway is a platform for managing solar panels or batteries. It determines when to charge the batteries, send energy back to the grid, and what combination of solar, battery, and grid energy to use to power the home. The system is connected to the Internet, and it turns out that some of the APIs do not require authentication. That means that energy consumption and production data (name, country and state, utility company name, etc.) are openly shared.
- Vulnerabilities in the Mercedes Benz car management system.
Researchers accessed the Mercedes-Benz E-Class internal network via a digital sim card (eSIM) and discovered several vulnerabilities. To connect, they had to reuse APN (packet data network identifier) settings, spoof IMEI (International Mobile Equipment Identifier) numbers, and find and reuse certificates. However, after overcoming all these obstacles and establishing a connection, they discovered that the APIs themselves were completely insecure.
- MGM Grand hotel and casino data leaks.
An ad for MGM Grand customer data was posted by a hacker on the darknet back in 2019. But how did he get it? It seems that the information got into his hands because of a leak in Data Viper, the security platform MGM was using. Data Viper, in turn, lost its database as a result of poor API coding. Another reason to think about security in the context of using third-party service providers.
- Facebook vulnerability.
Due to a misconfigured GraphQL API, Facebook had a vulnerability that was attractive to attackers. Any user could change another person’s name on their page. Although not a direct data leak, scammers could use such a vulnerability to impersonate other people and gain access to private information.
- A third-party app exposed 8 million records of top merchants.
Amazon UK, eBay, Shopify, PayPal, and Stripe are a partial list of the companies whose records were leaked. Eight million purchase records were compromised because of vulnerabilities in a third-party service provider. It helped merchants aggregate sales and returns data from multiple marketplaces and calculate value-added tax (VAT) for cross-border sales in the EU. This incident highlighted the dangers associated with data transmission via APIs to third parties.
- Phone numbers of 267 million Facebook users leaked online.
The incident occurred in December 2019. A database containing millions of Facebook users’ phone numbers was published on an online hacker forum. How this data was leaked is unknown, but one speculation is that the data was stolen from Facebook’s developer APIs before the company restricted access to phone numbers in 2018.
- The personal data of 1.41 million U.S. doctors were sold on the darknet.
Hackers used an unsecured API on findadoctor.com to collect information about 1.4 million U.S. doctors. Although the information on the site itself was publicly available, the unsecured API allowed it to be downloaded and made available in a structured way. The danger is that all this data could be used to launch further attacks.