DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Data Engineering
  3. Databases
  4. API Security Weekly: Issue #21

API Security Weekly: Issue #21

This week, we look at vulnerable APIs in Kubernetes, real estate services in Australia, and Amazon Ring cameras.

Dmitry Sotnikov user avatar by
Dmitry Sotnikov
CORE ·
Mar. 07, 19 · News
Like (3)
Save
Tweet
Share
7.50K Views

Join the DZone community and get the full member experience.

Join For Free

This week, we look at vulnerable APIs in Kubernetes, real estate services in Australia, and Amazon Ring cameras. We also take a look at upcoming healthcare API standards in the US and changes in attack trends between 2017 and 2018.

Vulnerabilities

Kubernetes continues to have API vulnerabilities (see our earlier issues 9 and 13). This time, it has turned out that PATCH API request payload was not sanitized. Attackers could craft a payload to overload the CPU and perform a denial of service (DoS) attack. To prevent the attack, upgrade Kubernetes to v1.11.8, v1.12.6, or v1.13.4, or remove the PATCH API call permission from untrusted users.

Banks are using APIs to get estimates of property values for mortgages. The main property valuer in Australia, LandMark White Limited had their API compromised. As a result, a database of the deals that went through them ended up publicly available on the internet. The source of the breach turned out to be an unprotected API. From what we know, it looks like that particular API was supposed to be an internal module, not called directly from the outside. However, attackers still managed to exploit the API and retrieve the data. All four major banks in Australia have stopped using the service, and the company is in deep crisis.

Amazon’s Ring Doorbell cameras had a serious API security flaw. While the APIs themselves were properly protected, their outputs were not. The audio and video footage from the doorbell cameras was effectively transmitted to the mobile app in plaintext. This enabled attackers to intercept and even substitute the audio and video stream from the cameras to the user. Unfortunately, Ring Doorbell cameras are not unique in that regard: we have previously reported API vulnerabilities in NUUO and Guardzilla security cameras.

Legislation

The U.S. Department of Health and Human Services (HHS) has proposed two new standards for patient data open APIs: CMS-9115-P and RIN 0955-AA01 .

By 2020, healthcare vendors are expected to start providing free access to patient data using standard APIs. The goal is to remove any barriers and enable consumer application ecosystem. Proposals are open to comments until April 2019. This has the potential to be as big as Open Banking.

Industry Stats

Some trends visible in the statistics from ITWeb and Radware:

“2017 was the ransom year that saw campaigns like WannaCry wreak havoc; whereas 2018 proved to be the year of automated incidents, with sensational attacks on APIs [emphasis added] (85%, according to the Radware research) especially bot attacks.”

You can subscribe to this weekly newsletter at https://APIsecurity.io

API security

Published at DZone with permission of Dmitry Sotnikov, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Implementing Infinite Scroll in jOOQ
  • The Importance of Delegation in Management Teams
  • DevSecOps Benefits and Challenges
  • Playwright vs. Cypress: The King Is Dead, Long Live the King?

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: