APIs, The New Attack Surface.

"By 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise applications." - Gartner Report ID G00342236

 

Compromised Credentials

Despite heavy investment in counter-measures, attacks such as phishing and social engineering are still successful in compromising user credentials.

“Lessons From Recent Hacks: Creating Strong Passwords - Tripwire." Reportedly a recent successful attack against a major healthcare provider involved at least five compromised credentials.


Authorization Token Reuse

Inter-app authorizations are performed using tokens such as an OAuth token. All tokens are not created equal. If the target app does not sufficiently validate the issued token against other information from the app session, a token issued for the purpose of one app access may be used to obtain unauthorized access to other parts of the application.

"Authentication bypass on Airbnb via OAuth tokens theft – Arne Swinnen."

At least one attack against a major online hospitality service was reported to have leveraged a compromised OAuth token.


Session Manipulation

In an increasingly open environment, a validated session can be an under-protected attack channel. It would become even more difficult to keep track of sessions when a user activity flow expands multiple segments of API calls.

"Hackers Could Turn LG Smart Appliances Into ... - The Hacker News." The LG Home hack was root-caused to a vulnerability in its cloud management app that failed to catch API calls made with an otherwise validated session but with a different user account ID which was changed from the original user account ID.


Parameter Tampering

API calls exchanged between app components contain parameters critical to the function of the app. Tampering of these parameters can lead to serious consequences.

“Parameter tampering flaw allowed Pwnedlist to get ... - SC Magazine UK." A website tracking cybersecurity breaches was itself breached by hackers leveraging a parameter tampering attack. 

"A Cyberattack Has Caused Confirmed Physical Damage ... - Wired."

An industrial furnace suffered severe damages reportedly due to an attacker using a compromised control interface to shut down its temperature regulation unit, leading to a melt-down.


Context Obfuscation

With API Integration, a particular user activity flow spans multiple calls segments, leading to loss of initial context information. The missing context (about the users/devices) makes it very difficult to perform root cause or forensic analysis.

"Google Crawler Tricked into Performing SQL Injection ... - ArsTechnica." 

It has also been reported that hackers are well aware of such limitations and have tried SQL Injection attacks using publicly available tools such as Google crawler to hide their tracks.


Leaky App

Apps often define APIs that serve different customers for different purposes.  When APIs are invoked to retrieve data, if caller roles are not sufficiently verified against the intended usage of an API, critical business can be leaked.

“T-Moble bug let anyone see any customer’s account details... - ZDNet”

A major mobile service provider left open to public an API intended for staffers to look up customer private account information, including security PIN. 

“America’s JobLink Data Incident... - AJLA”

A hack of a major government job website was determined to be caused by insufficient segregation