API Security Weekly: Issue #64
This week, take a look at some vulnerable APIs, such as in the Plenty of Fish dating app, Sony’s SonyLIV services, and Microsoft SharePoint.
Join the DZone community and get the full member experience.Join For Free
It is all about vulnerable APIs this week. We are looking at the ones in the Plenty of Fish dating app, Sony’s SonyLIV services, and Microsoft SharePoint. Also, there is a big leak of Facebook users’ phone numbers presumably harvested via APIs.
Vulnerability: Plenty of Fish
This time, there is a leaky API in Canadian Plenty of Fish app. The service is quite popular with about 100 million registered users.
Although the application itself allows users to hide their personal information, the API behind it does not. API calls return sensitive personal information including: first name, zip code, income level, parents’ marital status, and number of siblings.
If you are an API provider, you need to avoid client-side data filtering and protection. Treat your APIs as your user interface. Only return the data that is fine for users to see.
You might also like: The Role of API Gateways in API Security
SonyLIV is a popular internet television channel and subscription service operated by Sony Pictures Networks in India and Pakistan. Their app has more than 100 mln installs on Google Play Store.
Just like recently reported Droom issue, SonyLIV has an API vulnerability in its social login implementation. When logging in with Google Authenticator, Ehraz Ahmed found that he could log into another user’s account. To do that, he just had to put the other user’s email address in the corresponding parameter field.
OAuth 2.0 is a frequently used delegated access mechanism. However, frequently its use gives vendors a false sense of security. When poorly implemented, it can still leave your systems wide open. Use standard off the shelf implementation whenever possible or seriously audit your implementation for completeness and security best practices.
Vulnerability: Microsoft SharePoint
The API was vulnerable in versions 2010 SP2, 2013 SP1, 2016, and 2019. Crafted API response allowed attackers to read arbitrary files on the server.
Unfortunately, public details on the actual vulnerability are scarce. From the looks of it, it appears to be some kind of data validation issues.
Make sure that you thoroughly define and enforce data schemas, patterns, and ranges of all your API payloads.
Data Harvesting: Facebook
Phone numbers of 267 million of Facebook users have been shared in a hacker online forum.
Presumably, these have been harvested via Facebook APIs, which, until 2018, gave access to that data.
If you are an API provider:
- Do not expose more data than absolutely needed
- Limit access to sensitive personal data
- Prevent data enumeration
- Have logging, monitoring, and alerting in place
You can subscribe to this newsletter at APIsecurity.io.
Published at DZone with permission of Dmitry Sotnikov, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.