API Security Weekly: Issue #24
This week, we dive under the skin with unprotected APIs on implanted cardiac defibrillators and take a spin with a hacked tornado warning system in Texas.
Join the DZone community and get the full member experience.Join For Free
This week, we dive under the skin with unprotected APIs on implanted cardiac defibrillators and take a spin with a hacked tornado warning system in Texas. We have a story on how Uber used API vulnerability to drive competition out of business, and finally, we also look into how to store API keys and prevent SQL injections.
Emergency warning systems have unprotected APIs as well. Two cities in Texas had their tornado warning systems hacked to send alarms in the middle of the night, and by as simple an attack as sending a radio signal. Turns out that there is no security on these interfaces: you just need to know the radio signal that the system expects. See this Reddit discussion for more details.
Never put your secrets in your source code. Researchers at North Carolina State University found over 100 000 repositories on GitHub that contained API keys and cryptographic keys. The repos in question are public, so anyone can use the keys to take over the accounts. Here is the full report, and a quick summary in ZDNet.
GitHub is working on its Token Scanning tool to somewhat mitigate the issue. However, the tool only checks a few token formats for the most widely used services: AWS, Azure, GCloud, GitHub, Slack, and Stripe.
Kubernetes is also working on improving its storage for secrets. It is already in its alpha form in version 1.13, with the release planned for v1.16. The improvements include:
- No more forever tokens.
- No secrets in environments.
- Keys auto-expire on pod restarts.
- Tokens are bound to specific services.
Here’s an example of how lack of API security can damage your business, again from Down Under. In Australia, Uber reportedly used unprotected APIs of a local rival, GoCatch, that gave information about the drivers and their location. Uber collected the information, contacted the drivers, and lured them away from the competitor into their own ranks.
Here’s a great educational video about SQL injections by Computerphile. He is using a PHP site as an example. However, everything he shows equally applies to REST interface parameters and JSON payloads as well. Lockdown, sanitize, and escape your inputs!
You can subscribe to the weekly API Security newsletter at https://APISecurity.io
Published at DZone with permission of Dmitry Sotnikov, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.