Parameter Tampering

API calls exchanged between app components contain parameters critical to the function of the app. Tampering of these parameters can lead to serious consequences.

“Parameter tampering flaw allowed Pwnedlist to get ... - SC Magazine UK." 3 May. 2016A website tracking cybersecurity breaches was itself breached by hackers leveraging a parameter tampering attack. 

https://www.wired.com/2015/01/german-steel-mill-hack-destruction/

An industrial furnace suffered severe damages reportedly due to an attacker using a compromised control interface to shut down its temperature regulation unit, leading to a melt-down.


Context Obfuscation

With API Integration, a particular user activity flow spans multiple calls segments, leading to loss of initial context information. The missing context (about the users/devices) makes it very difficult to perform root cause or forensic analysis.

https://arstechnica.com/information-technology/2013/11/google-crawler-tricked-into-performing-sql-injection-attacks-using-decade-old-technique/

It has also been reported that hackers are well aware of such limitations and have tried SQL Injection attacks using publicly available tools such as Google crawler to hide their tracks.


Leaky App

Apps often define APIs that serve different customers for different purposes.  When APIs are invoked to retrieve data, if caller roles are not sufficiently verified against the intended usage of an API, critical business can be leaked.

“TMoble bug let anyone see any customer’s account details”, 28 May, 2018

A major mobile service provider left open to public an API intended for staffers to look up customer private account information, including security PIN. 

America’s JobLink Data Incident”, 22 March, 2017 Ahack of a major government job website was determined to be caused by insufficient segregation