The foundational elements of contemporary apps are application programming interfaces (APIs). Consider them as the entrances to the online world. They enable crucial corporate activities, keep everyone connected to essential data and services, and facilitate digital transformation. As researchers and companies have confirmed in recent years, enterprises aiming to safeguard weak points in their security infrastructure should prioritize API security. The findings from a 2022 study showing "malicious API attack traffic surged 117% over the past year " add credence to these worries.
The use of APIs and the incidence of API security breaches are growing. According to a recent Gartner report, "by 2025, less than 50% of enterprise APIs will be managed" due to the continued growth of APIs. Less than half of all APIs that could access crucial data in applications should be known, secured, and under control. Work needs to be done considering the rapid expansion of APIs and API security breaches. An enormous attack surface is waiting to be exploited and penetrated if all APIs permitted by an application are not identified and secured. API security vulnerabilities are a pain in the neck for enterprises with Access control problems linked with high-severity Common Vulnerability Exposures.
As the attack surface has grown and more bad actors have realized how lucrative it is to target APIs, the number of API attacks has skyrocketed.
The Open Web Application Security Project (OWASP) has highlighted ten common API attacks which attackers exploit:
- • Broken Object Level Authorization
- • Broken User Authentication
- • Excessive Data Exposure
- • Lack of Resources & Rate Limiting
- • Broken Function Level Authorization
- • Mass Assignment
- • Security Misconfiguration
- • Injection
- • Improper Assets Management
- • Insufficient Logging and Monitoring.
APIs are here to stay and are increasingly becoming a common target for data breaches, so without further ado, here is a list of the top 5 data breaches in 2022 that were due to API security issues, ordered by the number of accounts impacted:
1.8 million accounts exposed
In January 2022, an insurance company reported a breach of 1.8 million Texan user accounts. The vulnerability was in a web service application that inadvertently allowed access to protected parts of the application. “We found the issue was due to programming code that allowed internet access to a protected area of the application,” Gonzalez said in a statement. “We fixed the programming code issue and put the TDI web application back online. We began an investigation to find the nature and scope of the issue.” This can be categorized as a Broken Function Level Authorization (BFLA) exploit.
5.4 million accounts exposed from Twitter Breach
Twitter revealed in July 2022 that from late 2021 into 2022, an API breach exposed the PII of 5.4 million user accounts (the actual number of accounts may be significantly higher). The flaw was in an API that let users find other users and inadvertently exposed PII. There are claims that some of this data was given away for free and sold on the dark web. It was a BOLA exploit because the fundamental problem, in this case, was exposed data. One of the unpleasant truths of API assaults is that holes in these systems' security allow access to previously unheard-of volumes of data, in this case, the records of at least 5.4 million users. According to Avishai Avivi, CISO of SafeBreach, "APIs are designed to be utilized by systems to communicate with each other and exchange vast volumes of data. Therefore, these interfaces constitute an enticing target for bad actors to attack."
Exposure of 3.7 million accounts
A digital scheduling platform experienced a security compromise in January 2022, exposing the PII for 3.7 million user accounts. The client database was located in an unprotected AWS S3 bucket, which was the vulnerability. This BOLA exploit illustrates how access to private data was made possible through third-party APIs, such as S3 APIs.
7 million exposed accounts
A significant data breach for an internet marketing platform was discovered in February 2022, exposing the PII for 7 million customer accounts. Again, an unprotected, unencrypted S3 bucket containing PII was the problem in this case.
10 million exposed accounts
A worldwide telco business disclosed a compromise affecting 10 million accounts in September 2022, and the perpetrator demanded $1 million in ransom. An open public API was the source of the flaw (BFLA).
Conclusion
API usage is rising. More and more APIs are being developed to meet business demands, and more API calls are being performed. The attack surface is growing; as a result, increasing the hazards. Visibility is the key to thwarting API assaults in the future. Organizations must be aware of how their APIs act inside their firewalls. Additionally, they require a security provider who can monitor a sizable API ecosystem outside their own, which will help safeguard their entire security posture.
About the Author: Mosopefoluwa is a certified Cybersecurity Analyst and Technical writer. She has experience working as a Security Operations Center (SOC) Analyst with a history of creating relevant cybersecurity content for organizations and spreading security awareness. She volunteers as an Opportunities and Resources Writer with a Nigerian based NGO where she curated weekly opportunities for women. She is also a regular writer at Bora.
Her other interests are law, volunteering and women’s rights. In her free time, she enjoys spending time at the beach, watching movies or burying herself in a book.
0 Comments