API Security Weekly: Issue #21

This week, we look at vulnerable APIs in Kubernetes, real estate services in Australia, and Amazon Ring cameras. We also take a look at upcoming healthcare API standards in the US and changes in attack trends between 2017 and 2018.

Vulnerabilities

Kubernetes continues to have API vulnerabilities (see our earlier issues 9 and 13). This time, it has turned out that PATCH API request payload was not sanitized. Attackers could craft a payload to overload the CPU and perform a denial of service (DoS) attack. To prevent the attack, upgrade Kubernetes to v1.11.8, v1.12.6, or v1.13.4, or remove the PATCH API call permission from untrusted users.

Banks are using APIs to get estimates of property values for mortgages. The main property valuer in Australia, LandMark White Limited had their API compromised. As a result, a database of the deals that went through them ended up publicly available on the internet. The source of the breach turned out to be an unprotected API. From what we know, it looks like that particular API was supposed to be an internal module, not called directly from the outside. However, attackers still managed to exploit the API and retrieve the data. All four major banks in Australia have stopped using the service, and the company is in deep crisis.

Amazon’s Ring Doorbell cameras had a serious API security flaw. While the APIs themselves were properly protected, their outputs were not. The audio and video footage from the doorbell cameras was effectively transmitted to the mobile app in plaintext. This enabled attackers to intercept and even substitute the audio and video stream from the cameras to the user. Unfortunately, Ring Doorbell cameras are not unique in that regard: we have previously reported API vulnerabilities in NUUO and Guardzilla security cameras.

Legislation

The U.S. Department of Health and Human Services (HHS) has proposed two new standards for patient data open APIs: CMS-9115-P and RIN 0955-AA01 .

By 2020, healthcare vendors are expected to start providing free access to patient data using standard APIs. The goal is to remove any barriers and enable consumer application ecosystem. Proposals are open to comments until April 2019. This has the potential to be as big as Open Banking.

Industry Stats

Some trends visible in the statistics from ITWeb and Radware:

“2017 was the ransom year that saw campaigns like WannaCry wreak havoc; whereas 2018 proved to be the year of automated incidents, with sensational attacks on APIs [emphasis added] (85%, according to the Radware research) especially bot attacks.”

You can subscribe to this weekly newsletter at https://APIsecurity.io