Toppling the App Jenga Tower – Pulling the API Parameter Piece

All of us have seen Jenga, Topple the Tower game. Today’s enterprise applications very much resemble the tower with a myriad of services and their instances each glued together by APIs much like the wooden blocks. Un-aware to the enterprise is the fact that it doesn't take much for an adversary to break these APIs if they know the right piece to pull. One such piece is the API parameter. The entire App Tower would sometimes crumble when a single piece is pulled, as in the case of Fiserv Inc. flaw. Even the prestigious Blackhat conference was shown to be vulnerable.

Blackhat is a cybersecurity conference held annually in Las Vegas, USA.  The registration to the conference required real name and contact information along with a bunch of other data. Those attending the conference this year were given an NFC badge to be used throughout the conference floor. Annoyed with the badge and lanyard, a security researcher going by the twitter handle @NinjaStyle82 carefully dissected the BCard app that read the NFC badge and identified that the eventID and badgeID parameters can be tampered to pull the entire Blackhat 2018 attendee data over an unauthenticated API.

Today, KrebsonSecurity published details about a flaw in Fiserv Inc. Web platform that exposed personal and financial details of countless customers across hundreds of banks. Fiserv inc. is a fortune 500 company that powers the websites of numerous banks primarily small community banks and credit unions. By tampering the “event number” API parameter of his bank’s web API which was powered by Fiserv, a security researcher by the name Kristian Erik Hermansen was able to view another bank customer details including email address, phone number, and full bank account numbers.

Few days ago, Buzzfeed news reported two separate incidents where T-Mobile and AT&T customer’s account PINs were exposed due to flaws in the Web API’s. In T-Mobile’s case the account validation API allowed for an un-limited number of attempts to guess an account PIN which was one of the API parameters. A brute-force attack trying different 4-digit combinations leaked customer PINs. A very similar flaw was discovered with phone insurance company Asurion and its AT&T customers. A brute-force attack trying different combinations of the passcode API parameter revealed the customer passcodes.

These flaws highlight the devastating effects of parameter tampering of APIs if unchecked and not detected. In the above scenarios’ it was the leakage of personal information as well as financial data. But the risk is not just limited to these. It could extend anywhere from leakage of health information to enterprise intellectual property.

Enterprise Security teams need new tools that are built ground up to support their app tower from toppling. They need the following to get a grasp of their API ecosystem and its protection.

  • Non-Intrusive: Enterprise applications are using a mix of legacy as well as modern service-oriented architectures. Any API security tool that has to be adopted must be non-intrusive.
  • Contextual Visibility: The tool needs to provide contextual visibility of the application transaction with surgical accuracy.
  • Intelligent Zero-Day Detection: The tool must have capability to detect zero-day, without any pre-defined rules, the leakage of sensitive data.

The existing security tools available to the enterprises do not solve the flaws highlighted here. As an example, for the above three scenario’s the Cloud Workload Platform Protection (CWPP) or Runtime Application Self Protection (RASP) do not provide much protection. The API Gateway’s themselves do not add any security layer in general let alone these two scenarios.

ArecaBay with the Industries first & only API transaction protection product can seamlessly secure the entire activity flow in all the scenarios described above as well as many other use cases. Email us to find out more details about how we can provide unique security solution for your application needs.