The flaw was identified in USPS website APIs exposed potentially exposed data from 60 Million users. This blog does a quick rundown of how the flaw could be exploited, where exactly it is located, and most importantly, how can you protect your organization from similar API flaws.
Confucius taught us more than 2000 years ago: “Listen to his claims, but watch his actions.” Things are not what they claim to be. Such words of wisdom speak volume in light of the most recent Facebook access token leak.
According to one of Facebook’s blog, a large number of access tokens were potentially stolen by hackers due to vulnerabilities in the “View As” feature. Facebook executives offered more details according to this TechCrunch report.
Today’s enterprise applications very much resemble the tower with a myriad of services and their instances each glued together by APIs much like the wooden blocks. Un-aware to the enterprise is the fact that it doesn't take much for an adversary to break these APIs if they know the right piece to pull. One such piece is the API parameter. The entire App Tower would sometimes crumble when a single piece is pulled, as in the case of Fiserv Inc. flaw. Even the prestigious Blackhat conference was shown to be vulnerable