API Security Weekly: Issue #11

As we are wrapping up 2018, you can’t help looking back at the record number of high profile API breaches that happened this year and wondering what can be expected next year. However, it is not all about the holiday mood: this week was also marked by a security hole in mutual TLS authentication in the Go language, XSS at Google Code-in, another Facebook glitch, hundreds of vulnerable Kubernetes deployments, and an announcement of the upcoming healthcare API standards in the US.

Vulnerabilities

The big one this week is the mutual TLS authentication issue in the Go language. The vulnerability that got fixed this week allowed attackers to launch CPU DoS attacks. With Go being one of the most popular programming languages in the microservices and backend implementation world and mutual TLS is one of the most popular security mechanisms, the impact of the vulnerability is significant.

Does your web application render JSON API responses in HTML? If yes, make sure to escape '</' or attackers can get their scripts planted and perform a cross-site scripting (XSS) attack. Here’s how Thomas Orlita hacked Google Code-in’s website where this wasn’t taken into account.

Facebook had their fair share of API troubles earlier this year. This week, they reported a fairly minor vulnerability in their photo API: the API gave 3rd party developers and their apps access to photos that users had shared in marketplace, stories, or even drafts, not only to the photos the users had shared on their timelines as is normally the case. The issue occurred between Sept 13 and 25, and it was detected by Facebook’s own team. No actual breach is known to have happened, but the potential impact still affects 6.8 million users ( as even a minor glitch affects millions on Facebook). In total, 1,500 apps from 876 developers could potentially have made use of the issue.

Unprotected APIs

We talked about unprotected Docker deployments just last week. Guess what, lots of Kubernetes clusters also end up with APIs publicly exposed on the internet. Folks at BinaryEdge located many of them by testing IP-ADDRESS:PORT/api/v1/pods for various servers. Plenty of the clusters seem to have been already hijacked by cryptominers.

Opinions

Tristan Liverpool, Systems Engineering Director at F5, sees API Security as one of the challenges for businesses in 2019.

The end of the year articles are starting to pop up. In Business Insider, Paige Leskin summarizes the 21 biggest data breaches of 2018. Lots of them are API-related. The list obviously isn’t exhaustive (for example, Panera and a few others that we have covered this year are missing) but it shows the trend and the scale of the issue!

Regulations

According to Donald Rucker, the US Office of the National Coordinator for Health IT will soon release new requirements on standard open API for patient data access. The goal is to ensure security yet enable developing mobile and other healthcare applications that could work across all healthcare providers.

You can subscribe to this newsletter at https://APISecurity.io.