DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Software Design and Architecture
  3. Cloud Architecture
  4. API Security Weekly: Issue #44

API Security Weekly: Issue #44

This week, we look at API vulnerabilities in Kubernetes and 3Fun, upcoming API Specification Conference, and slides from EIN 2019 conference presentation.

Dmitry Sotnikov user avatar by
Dmitry Sotnikov
CORE ·
Aug. 15, 19 · News
Like (4)
Save
Tweet
Share
13.41K Views

Join the DZone community and get the full member experience.

Join For Free

This week, we look at API vulnerabilities in Kubernetes and 3Fun, upcoming API Specification Conference, and slides from EIN 2019 conference presentation.

Vulnerabilities: Kubernetes

Kubernetes has fixed the API vulnerability CVE-2019-11247.

This flaw allowed attackers to access, modify, or delete computing and storage resources configured across a Kubernetes cluster. The issue was with authorization logic that allowed intruders to access cluster-wide resources with only standard role-based access control (RBAC) permissions.

To obtain the fix, upgrade your Kubernetes to v1.13.9, v1.14.5, or v1.15.2.

Vulnerabilities: 3Fun

The group dating app 3Fun was leaking location and personal information from 1.5 mln users.

The app had an insecure API that provided information on other app users nearby your location based on your actual coordinates. The coordinates were supposed to come from the mobile app, but they could just as well be supplied as parameters of API calls.

Leveraging this, researchers from Pen Test Partners (as well as any attacker) were able to call the API with various spoofed coordinates to enumerate users in different cities. Even worse, the API returned all information about these users: exact location, birthday, gender, sexual preferences, pictures, chats.

In theory, users could choose to restrict what information they wanted to share. However, it was only the mobile application on the client-side that was filtering the data and hiding the things user had flagged as confidential pieces. There was no filtering on the API itself, so someone calling the API directly would get all information, regardless of users’ privacy settings.

Another reminder that APIs should be treated as the system edge, not the clients rendering the data.

Conferences: ASC 2019

API Specification Conference (ASC 2019) is taking place in Vancouver, Canada on October 15—17, 2019.

The conference is organized by the OpenAPI Initiative, the Linux Foundation project behind the OpenAPI standard. This is the evolution of the APIStrat event in the past.

This week, the organizers have published the preliminary agenda. There is a lot of great content, including sessions on API security.

A discount code ASC19ANNOUNCE worth $100 is valid until this Friday, August 16th.

Slides: API Security in a Microservices World

Philippe Leothaud has published the slides from the “API Security in a Microservices World” talk that he gave at the European Identity and Cloud Conference (EIC) 2019 in Munich.

The slides cover the following themes:

  • The concepts, goals, and architecture of microservices
  • Security challenges, with a concrete example with FAPI
  • Organizational challenges, DevSecOps
  • Further reading

You can subscribe to this newsletter at APIsecurity.io.

API security Kubernetes mobile app

Published at DZone with permission of Dmitry Sotnikov, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Automated Performance Testing With ArgoCD and Iter8
  • How and Why You Should Start Automating DevOps
  • Easy Smart Contract Debugging With Truffle’s Console.log
  • Kubernetes vs Docker: Differences Explained

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: