“By 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise applications”

Leaky App

Applications often define APIs that serve different customers for different purposes. When APIs are invoked to retrieve data, if the caller roles are not sufficiently verified against the intended usage of an API, critical business data can be leaked.

“T-Moble bug let anyone see any customer’s account details... - ZDNet”

A major mobile service provider left open to the internet an API intended for employees to look up customer private account information, including the security PIN. 

“America’s JobLink Data Incident... - AJLA”

A hack of a major government website was determined to be caused by insufficient segregation.

Compromised Credentials

Despite heavy investments in counter-measures, attacks such as phishing and social engineering are still successful in compromising user credentials.

“Lessons From Recent Hacks: Creating Strong Passwords - Tripwire."

Reportedly a recent successful attack against a major healthcare provider involved at least five compromised credentials.

Authorization Token Reuse

Inter-application authorizations are performed using tokens such as an OAuth token. All tokens are not created equal, and if the target application does not sufficiently validate the issued token against additional information from the session, a token issued for the purpose of one application access may be used to obtain unauthorized access to other parts of the application.

"Authentication bypass on Airbnb via OAuth tokens theft – Arne Swinnen."

At least one attack against a major online hospitality service was reported to have leveraged a compromised OAuth token.

Session Manipulation

In an increasingly open environment, a validated session can be an under-protected attack channel. It would become even more difficult to keep track of sessions when user activity flows expand multiple segments of API calls.

"Hackers Could Turn LG Smart Appliances Into ... - The Hacker News."

The LG Home hack was root-caused to a vulnerability in its cloud management application that failed to catch API calls made with an otherwise validated session, but with a different user account ID which was changed from the original user account ID.

Parameter Tampering

API calls exchanged between application components contain parameters critical to the function of the application. The tampering of these parameters can lead to serious consequences.

“Parameter tampering flaw allowed Pwnedlist to get ... - SC Magazine UK."

A website tracking cybersecurity breaches was itself breached by hackers leveraging a parameter tampering attack.

"A Cyberattack Has Caused Confirmed Physical Damage ... - Wired."

An industrial furnace suffered severe damages reportedly due to an attacker using a compromised control interface to shutdown its temperature regulation unit, leading to a melt-down. 

Context Obfuscation

With API integrations, a particular user activity flow spans multiple call segments, leading to the loss of initial context information. The missing context (about the users/devices) makes it very difficult to perform root cause or forensic analysis.

"Google Crawler Tricked into Performing SQL Injection ... - ArsTechnica." 

It has also been reported that hackers are well aware of such limitations and have tried SQL Injection attacks using publicly available tools such as Google crawler to hide their tracks.