API Security Weekly: Issue #44

This week, we look at API vulnerabilities in Kubernetes and 3Fun, upcoming API Specification Conference, and slides from EIN 2019 conference presentation.

Vulnerabilities: Kubernetes

Kubernetes has fixed the API vulnerability CVE-2019-11247.

This flaw allowed attackers to access, modify, or delete computing and storage resources configured across a Kubernetes cluster. The issue was with authorization logic that allowed intruders to access cluster-wide resources with only standard role-based access control (RBAC) permissions.

To obtain the fix, upgrade your Kubernetes to v1.13.9, v1.14.5, or v1.15.2.

Vulnerabilities: 3Fun

The group dating app 3Fun was leaking location and personal information from 1.5 mln users.

The app had an insecure API that provided information on other app users nearby your location based on your actual coordinates. The coordinates were supposed to come from the mobile app, but they could just as well be supplied as parameters of API calls.

Leveraging this, researchers from Pen Test Partners (as well as any attacker) were able to call the API with various spoofed coordinates to enumerate users in different cities. Even worse, the API returned all information about these users: exact location, birthday, gender, sexual preferences, pictures, chats.

In theory, users could choose to restrict what information they wanted to share. However, it was only the mobile application on the client-side that was filtering the data and hiding the things user had flagged as confidential pieces. There was no filtering on the API itself, so someone calling the API directly would get all information, regardless of users’ privacy settings.

Another reminder that APIs should be treated as the system edge, not the clients rendering the data.

Conferences: ASC 2019

API Specification Conference (ASC 2019) is taking place in Vancouver, Canada on October 15—17, 2019.

The conference is organized by the OpenAPI Initiative, the Linux Foundation project behind the OpenAPI standard. This is the evolution of the APIStrat event in the past.

This week, the organizers have published the preliminary agenda. There is a lot of great content, including sessions on API security.

A discount code ASC19ANNOUNCE worth $100 is valid until this Friday, August 16th.

Slides: API Security in a Microservices World

Philippe Leothaud has published the slides from the “API Security in a Microservices World” talk that he gave at the European Identity and Cloud Conference (EIC) 2019 in Munich.

The slides cover the following themes:

• The concepts, goals, and architecture of microservices
• Security challenges, with a concrete example with FAPI
• Organizational challenges, DevSecOps
• Further reading

You can subscribe to this newsletter at APIsecurity.io.