Applications often define APIs that serve different customers for different purposes. When APIs are invoked to retrieve data, if the caller roles are not sufficiently verified against the intended usage of an API, critical business data can be leaked.
A major mobile service provider left open to the internet an API intended for employees to look up customer private account information, including the security PIN.
A hack of a major government website was determined to be caused by insufficient segregation.
Despite heavy investments in counter-measures, attacks such as phishing and social engineering are still successful in compromising user credentials.
Reportedly a recent successful attack against a major healthcare provider involved at least five compromised credentials.
In an increasingly open environment, a validated session can be an under-protected attack channel. It would become even more difficult to keep track of sessions when user activity flows expand multiple segments of API calls.
The LG Home hack was root-caused to a vulnerability in its cloud management application that failed to catch API calls made with an otherwise validated session, but with a different user account ID which was changed from the original user account ID.
API calls exchanged between application components contain parameters critical to the function of the application. The tampering of these parameters can lead to serious consequences.
A website tracking cybersecurity breaches was itself breached by hackers leveraging a parameter tampering attack.
An industrial furnace suffered severe damages reportedly due to an attacker using a compromised control interface to shutdown its temperature regulation unit, leading to a melt-down.
With API integrations, a particular user activity flow spans multiple call segments, leading to the loss of initial context information. The missing context (about the users/devices) makes it very difficult to perform root cause or forensic analysis.
It has also been reported that hackers are well aware of such limitations and have tried SQL Injection attacks using publicly available tools such as Google crawler to hide their tracks.