Why Locking Down APIs is Crucial for Preventing Data Breaches

The Growing Threat of API Vulnerabilities and the Need for Improved Security

The Insecure Direct Object Reference (IDOR) Vulnerabilities

In a joint advisory by the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. National Security Agency (NSA), it was highlighted that web and mobile application developers must take greater precautions in creating secure applications. Attackers are increasingly targeting web application programming interfaces (APIs) to compromise cloud and mobile services. Of particular concern are insecure direct object reference (IDOR) vulnerabilities, which pose a significant threat because they are difficult to prevent outside the development process and can be exploited at scale.

IDOR vulnerabilities occur when an application allows access to information or web resources using an identifier or key without properly authenticating or authorizing the user. These vulnerabilities are commonly exploited and can be automated, posing a grave risk to end-user organizations. The advisory emphasized that such vulnerabilities can lead to unintended exposure of information or large-scale data breaches where sensitive information is accessed by malicious actors.

Real-Life Instances of API Vulnerabilities

Instances of lax security in web applications have already resulted in serious consequences. For example, in 2021, vulnerabilities in the API of a popular monitoring application exposed call records, messages, photos, and other user data. Similarly, the API for Peloton fitness equipment had endpoints that could be exploited by unauthorized attackers to collect information on subscribers, including prominent personalities such as the current President of the United States. These incidents underscore the urgency of addressing API vulnerabilities.

The Increasing Importance of APIs in Today’s Digital Landscape

The significance of addressing API vulnerabilities has escalated due to the widespread adoption of APIs. Not only are APIs prevalent on the Internet, but they are also used to connect Internet of Things (IoT) devices, cars, and vehicles. Jason Kent, a hacker-at-large for Cequence Security, an API security firm, emphasizes that APIs are now the foundation of the internet, making their security paramount. The constant flow of telematic data between interconnected devices highlights the critical role APIs play in today’s digital landscape.

The Soaring Costs of Insecure Web APIs

The financial impact of insecure web APIs cannot be underestimated. Marsh McLennan estimates that in 2022, US companies could lose between $12 billion and $23 billion due to API compromises. To combat these rising losses, the Open Worldwide Application Security Project (OWASP) has released an updated top-10 list of API security issues, with IDOR vulnerabilities occupying the top spot. Paulo Silva, co-leader of the OWASP API Security Project, reveals that IDOR issues account for approximately 25% of vulnerabilities found in typical bug bounty engagements.

The Role of Secure Design, Education, and Analysis

To address the escalating threat of API vulnerabilities, developers must focus on educating themselves about secure design principles for web applications. They should also utilize analysis tools to check their code for common API flaws and misconfigurations. Additionally, applications that have already been deployed should undergo a rigorous security analysis process. This process entails creating a security design document, comparing the application to the document, and conducting tests with real users to uncover any potential vulnerabilities.

Cequence Security‘s Jason Kent suggests that observing users interact with live data on the platform provides developers with insights into necessary changes. This approach allows them to identify potential leaks of sensitive information such as credit card numbers or social security numbers.

The Importance of Web Application Firewalls

Implementing a web application firewall (WAF) can be instrumental in both instrumenting the application and protecting against attacks for which developers may not yet be aware. According to Tim Erlin, head of product at Wallarm, an API security firm, CISA’s recommendation of implementing a WAF should be a higher priority. The WAF’s capabilities should explicitly include the detection and prevention of attacks against APIs. Security teams must be empowered to take proactive measures while waiting for developers, whether in-house or vendors, to rectify vulnerabilities.

Conclusion

The increasing prevalence of API vulnerabilities necessitates a greater focus on securing web and mobile applications. The pernicious nature of insecure direct object reference (IDOR) vulnerabilities poses significant risks, particularly due to their susceptibility to automated attacks. The real-world incidents of API breaches highlight the urgent need for improved security practices and education among developers. Furthermore, implementing web application firewalls and conducting thorough security analyses can help mitigate risks associated with API vulnerabilities. The continued growth of APIs in our interconnected digital landscape underscores the criticality of securing these interfaces to safeguard against data breaches and financial losses.