Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

API Security Weekly: Issue #19

DZone 's Guide to

API Security Weekly: Issue #19

This week, we look into the latest vulnerabilities, patches that TLS libraries require, and best practices for token management security.

· Integration Zone ·
Free Resource

This week, we look into the latest vulnerabilities, patches that TLS libraries require, and best practices for token management security.

Vulnerabilities

You’d think casinos are at the forefront of security, after all, they handle money. Apparently, this is not always the case. Atrient’s digital rewards kiosks for casinos used public unencrypted APIs to communicate with the backend servers. Thus, anyone could listen to the traffic containing customers’ personal information. Attackers could even submit data, like add credit for themselves.

Turns out the smart Electric Scooter by Xiaomi (M365) has unprotected APIs. Although the mobile app has password protection, behind the scenes, the application is invoking APIs with no authentication required.

Smartwatches from well-known brands can have vulnerable APIs, too. The APIs behind Lenovo Watch X do not use encryption at all. Information (such as username, password, and location) is sent as cleartext. Knowing the username is all it takes to take control over someone’s watch. See also our earlier smartwatch breach reports in Issue 18 and Issue 7.

Patch Required

There has been a new successful Bleichenbacher attack on TLS v3. Attackers can cause TLS to downgrade to v2 and get exploited. If your TLS/SSL library is older than November 2018, upgrade it ASAP!

Research

Researchers from the University of Michigan and Universidade Federal Rural de Pernambuco have looked into the security of top-selling smart devices on Amazon. They took 96 Wi-Fi and Bluetooth-enabled devices and analyzed the smartphone apps that control these devices. The basic API and network security of these apps turned out to be quite bad:

  • 31 percent of the apps had no encryption at all.
  • 19 percent of the apps had hard-coded keys.

Best Practices

Isabelle Mauny from 42Crunch has published her Token Management Security Best Practices. Here’s a quick overview of the table of contents:

  • Trust no one
  • Obtaining tokens and API keys
  • Token management
  • Don’t hardcode secrets
  • OAuth is not for authentication
  • JWT content and access
  • JWT validation

You can subscribe to API Security weekly newsletter at https://APIsecurity.io.

Topics:
api ,api security ,security ,newsletter ,api news ,security news

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}