API Security Weekly: Issue #39
API Security Weekly: Issue #39
This week, we take a look at Zoom’s insecure API snafu that affects millions of Mac users, improvements to the OpenAPI support in Visual Studio Code, and more!
Join the DZone community and get the full member experience.Join For Free
This week, we take a look at Zoom’s insecure API snafu that affects millions of Mac users, improvements to the OpenAPI support in Visual Studio Code (VS Code), the PolarProxy tool for TLS traffic decoding, the latest API breach fines, and a new survey on cloud security.
Zoom is a popular video conferencing app. Unfortunately, in their pursuit of ease of use, they deployed local web servers with vulnerable APIs to the computers of more than 4 million Mac users!
Zoom wanted to have a one-click-join experience for their conference call links. The native Safari browser on Macs does not support application-specific links such as
zoom://. As a work-around to this limitation, Zoom is quietly deploying their own web server locally on Macs. This allows them to start the meetings by making localhost calls from their pages.
Modern browsers have Cross-Origin Resource Sharing (CORS) protection that normally prevents such use. However, Zoom circumvented the protection by masking the API calls as image load calls!
As a result, attackers can embed an
img element onto a web page and force your Mac to start a Zoom session with your camera on. Another way they could to do that is to include an
iframe element with the Zoom link. Either way, no action other than landing onto this crafted web page is required from the user.
The API is not fully documented, so there may also be other methods for further remote attacks. For example, the local web server also re-installs Zoom even if you uninstall the app unless you also separately kill the local web server.
See the full report by Jonathan Leitschuh; it is a fascinating read.
Tools: The OpenAPI Extension for Visual Studio Code
VS Code is a popular Integrated Developer Environment (IDE). The OpenAPI extension for it was released about a month ago, originally only supporting API contracts in JSON format.
This week, the extension has been updated to include support for YAML format as well. Now, all functionalities — new API templates, navigation, linting, snippets, Go To Definition, IntelliSense — are available for both formats.
Netresec has released their free PolarProxy tool for malware researchers and incident responders.
It is a transparent SSL/TLS proxy that decrypts traffic and saves it as a Wireshark PCAP file for further research.
Fines for API Vulnerabilities
We have covered the API vulnerability in the Jack’d dating app in our earlier newsletter. This week, the vendor Online Buddies got fined $240K for having that vulnerability in their API and failing to protect their users data.
Cybersecurity Insiders has published their 2019 Cloud Security Report. Some relevant highlights from the report include:
- Data loss and leakage are the top cloud security concerns(64%).
- The biggest vulnerabilities in the minds of security professionals are (each with 42%):
- Unauthorized access through misuse of employee credentials and improper access controls
- Insecure APIs
API Security Briefings From Amazon Echo
You can now add this newsletter to your news briefings on Amazon Echo and Alexa devices:
- Open your Amazon Alexa app
- Go to Skills & Games
- Search for API Security
- Enable the skill
Now, whenever you ask Alexa to read you the news, you will also hear the latest from our newsletter.
You can subscribe to this weekly newsletter at APIsecurity.io.
Published at DZone with permission of Dmitry Sotnikov , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.