API Security Weekly: Issue #31

This week, Samsung has leaked a token that provides full access to their SmartThings code repository, and Facebook fixed one API flaw but got fined for another. We also have a discussion of API security and DevOps and look into a survey that Postman runs on the future of OpenAPI support.

API Keys

We have discussed API key security in our issue 25. This week, there was another high profile leak: Researchers found in the wild a token giving full access to the Samsung SmartThings GitLab repository.

One of the Samsung labs had a GitLab server with some of the repositories set to be public, and one of these repos had an AWS S3 access token in its code. The AWS S3 turned out to have more than 100 storage buckets, containing logs and analytics. Within that data, researches found GitLab tokens, including the one for the SmartThings project.

The SmartThings app has more than 100 million installations globally. Thus, the potential impact of any attacker modifying the code is huge.

Keep your repositories private and never put your API tokens in your code or logs!

Business Impact

Facebook got fined for the API vulnerability in their Photo API that leaked private photos. The vulnerability was found and fixed back in December, but this shows that even vulnerabilities that are fixed might come back to bite you.

API Security by Design

Some more bad news from Facebook: they had another API issue last week. This one was a flaw in the API design.

Facebook has a marketplace section that lets users buys and sell stuff. The web application fuzzes the seller’s location to protect privacy. However, the fuzzing was implemented only on the web UI’s side. The API itself gave away the exact GPS coordinates so that an attacker could get the exact location of any seller on the platform.

The bottom line here is that APIs should be treated as products. They should not disclose more information than the product is supposed to disclose.

Reviews

Enterprise Security Weekly is a popular online show by Matt Alderman and Paul Asadorian. This week, among many other topics, they had a discussion on API security. API attacks are on the rise, so how do you ensure that your APIs are comprehensively audited and protected from dev to QA to runtime?

Tools

CEO and the founder of Postman, Abhinav Asthana, is asking for help in determining what the scope of the OpenAPI support should be in the tool. He runs a survey on whether developers typically write the API definition in an editor, or generate it from the code. Cast your vote here.

You can subscribe to this weekly newsletter at https://APIsecurity.io