API Security Weekly: Issue #33

DZone 's Guide to

API Security Weekly: Issue #33

This week, we look at FirstAm leak, vulnerable Nokelock API, KuppingCole report, and stats from the security volume of Akamai's State of the Internet report.

· Integration Zone ·
Free Resource

This week, we look at FirstAm leak, vulnerable Nokelock API, KuppingCole report, and some stats from the security volume of Akamai's State of the Internet report.

Vulnerability: First American

First American Financial Corp. was leaking 885 million mortgage deals records until it was notified by KrebsOnSecurity last week. The leaked records included highly sensitive information such as social security numbers (SSN), bank accounts, tax records, and wire details.

Presumably, the company did not want to secure the documents to simplify the access to them for all parties in a mortgage deal. As a result, the records could be obtained just by putting a sequential document ID parameter in the URL. These parameters were 9-digit integers starting with 000000075 (this one dating from 2003). All attackers had to do was to keep incrementing this parameter and downloading the documents!

This shows how “simplifying” can backfire on you. Instead, access to specific partners with proper authentication and authorization should be used. If this cannot be done for business reasons, other security measures could still be implemented, such as:

  • Separating the web page to view the document from the document URL, and password-protecting that page.
  • Avoiding sequenced identifiers and using randomized IDs instead.
  • Expiring the access to older documents.
  • Monitoring access to prevent bulk download attempts.
  • Notifying the business of the risks using proper risks/benefits analysis.

Vulnerability: Nokelock

Researches have found API vulnerabilities in Nokelock Bluetooth-enabled padlocks. These are the most popular inexpensive devices of that kind on Amazon, and are sold under a few different brands.

The API for the locks uses unencrypted HTTP traffic and a shared API key across all accounts. This lets an attacker get an API key and re-use it against locks belonging to other customers. An attacker could open the locks, get user information and device GPS location, or reassign lock ownership.

Always use HTTPS as your transport protocol and personalized authentication and authorization to prevent such attacks.

Analysts: KuppingerCole on API security

Alexei Balaganski from KuppingerCole has released a report on API security: "The Dark Side of the API Economy." The report contains detailed examples of the recent exploits, common myths, and recommendations including:

  • Education is key
  • Designing an API strategy
  • Know what you are protecting
  • API Zero Trust
  • Automating API security

The report is free with registration.

Industry Trends: The Rise of REST and JSON

Akamai has released the Security volume of their annual “State of the Internet” report. It has fascinating statistics on the rapid rise of API traffic and the impact it has on security:

  • API traffic now constitutes a whopping 83 percent of all web traffic! HTML traffic is down to just 17 percent.
  • This is a significant growth compared to the 47 percent only four years ago.
  • Most of the API traffic is JSON. XML is very much in decline.
  • Browsers (web applications) are only getting 27 percent of API traffic. The rest of the traffic is smartphones, applications, and devices.

A quote from the report:

"For security practitioners, this is vitally important — not all tools are capable of handling the shift, and you may be missing a major source of malicious traffic in your defenses."


You can subscribe to this weekly newsletter at https://APIsecurity.io

api, api news, api security, api vulnerabilities, cybersecurity, integration, integration news, json, rest, security

Published at DZone with permission of Dmitry Sotnikov , DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}