DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
What's in store for DevOps in 2023? Hear from the experts in our "DZone 2023 Preview: DevOps Edition" on Fri, Jan 27!
Save your seat
  1. DZone
  2. Data Engineering
  3. Databases
  4. API Security Weekly: Issue #28

API Security Weekly: Issue #28

This week, we check out the details of the recent API vulnerabilities in Tchap, Shopify, and JustDial.

Dmitry Sotnikov user avatar by
Dmitry Sotnikov
CORE ·
Apr. 25, 19 · News
Like (2)
Save
Tweet
Share
9.73K Views

Join the DZone community and get the full member experience.

Join For Free

This week, we check out the details of the recent API vulnerabilities in Tchap, Shopify, and JustDial. Elsewhere, Gartner reports a whopping 77 percent increase in inquiries on API security. And finally, we take a look at how an API’s OpenAPI definition can be the foundation for API security.

Vulnerabilities

Tchap

Tchap is a messaging app that the French government released for internal use. It was hailed as a more secure replacement for Telegram and WhatsApp. And ironically enough, it got hacked in just one hour:

  1. The sign-up API had an email address parameter that didn’t validate the input format.
  2. A security researcher, Elliot Alderson, submitted fs0c131y@protonmail.com@elysee.fr as the address.
  3. The code simply verified that the address ended with @elysee.fr, which is a government email domain.
  4. The check was successful, and Tchap sent a verification email that got delivered to fs0c131y@protonmail.com belonging to the attacker.
  5. The attacker could click the confirmation link, get in, and be able to get into the internal government chat rooms.

To prevent the attack, developers should have defined a strict regular expression for the email address field of their API and enforced the limitation.

Shopify

Ayoub Fathi found an Insecure Direct Object Reference (IDOR) vulnerability in the API of Shopify Exchange App. The issue — now fixed by Shopify — affected about 8,700 stores and exposed all their revenue and traffic data.

IDOR vulnerability is basically about the lack of authorization. Attackers register and get valid credentials for authentication. However, instead of just accessing their own records, attackers then modify API calls to access other users’ data. For example, API calls might include some sort of ID parameter that attackers can modify to try various combinations. In this particular case, these were the online stores using Shopify that the researcher found through DNS.

Ayoub published a very detailed write-up including his scripts, the way he was doing DNS reverse lookups, and so on.

JustDial

India’s number one local search service, JustDial, had an unprotected API that leaked personal data of all its 100 mln+ users. Seems that when the company redesigned its apps, the old API was left running, unprotected, and with access to the user database.

Vulnerabilities like this one happen when companies pay attention to their applications but not to the underlying APIs. From JustDial’s perspective, their security was fine because their application was secure. The old API that still existed and had access to their data was simply not on their radar. Considering the wide adoption of API-based application architectures, this mindset needs to change in every company.

Analysts and trends

Gartner’s latest Application Security Testing magic quadrant report has some interesting internal statistics. In 2018, Gartner observed:

  • 77 percent increase over the year on inquiries from end-user clients about API security
  • 55 percent increase on inquiries about container security
  • 34 percent increase on inquiries about DevSecOps

Tools

TheNewStack is running my story on how developers can improve the security of their API contracts by auditing the security of the OpenAPI definition of their API.

You can subscribe to this newsletter at https://apisecurity.io.

API Application security

Published at DZone with permission of Dmitry Sotnikov, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • 7 Awesome Libraries for Java Unit and Integration Testing
  • Deploying Java Serverless Functions as AWS Lambda
  • What Is a Kubernetes CI/CD Pipeline?
  • Microservices Discovery With Eureka

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: