API Vulnerabilities: A Growing Concern

Introduction

In this blog, we will cover 10 high-profile API vulnerabilities, their impact, and their importance to secure API design. Learn from these breaches to safeguard your data and maintain user trust.

APIs (Application Programming Interfaces) serve as the backbone of modern software applications, enabling communication between different systems. However, when not properly secured, APIs can become entry points for threat actors.

Here are some key lessons from recent API Vulnerabilities breaches:

1. Bumble Data Breach and API Vulnerability

Background: Bumble, a popular dating app founded in 2014, operates with a unique premise: female users must express interest in a male user before he can initiate contact.

However, the app has faced serious allegations regarding handling user data. A proposed class action lawsuit in California claims that Bumble collects extensive personal, biometric, and behavioral information from users without their knowledge or consent.

The app shares this data with third parties like Facebook and Instagram. Notably, Bumble experienced a data breach in March 2020, during which an unauthorized party accessed the entire account database, exposing profiles of approximately 100 million users. Shockingly, Bumble allegedly failed to notify users that their data remained exposed for at least eight months, if not longer.

API Vulnerability: The lawsuit highlights Bumble’s data collection practices in the context of a 2020 data breach. According to the complaint, a security researcher bypassed Bumble’s application program interface (API), leading to the breach. The vulnerability allowed unauthorized access to private data from Bumble’s servers for any user. Essentially, Bumble’s API did not perform necessary checks on user authorization and had no request limits, making it susceptible to exploitation by hackers.

Impact: The impact of the breach was significant, as it exposed sensitive user profiles for an extended period. Additionally, the lawsuit alleges that Bumble collects users’ biometric information (specifically, geometric data mapping unique facial contours) without proper authorization. This data is used for user verification and censoring lewd content within the app. Given Bumble’s emphasis on safety and security, users trusted that their personal information would remain secure.

2. Venmo’s Lax Approach to API Security

Background: Venmo, a popular payment platform owned by PayPal, allows users to send and receive money easily through its mobile app. However, the company faced a significant security issue related to its public application programming interface (API). By default, Venmo’s API made transaction records publicly accessible, allowing anyone to view ongoing transactions. This design choice had serious implications for user privacy and security.

API Vulnerability: The vulnerability stemmed from Venmo’s decision to set transaction records as “Public” by default in their API. As a result, sensitive information, including full names and transaction descriptions, was exposed. Researchers discovered that millions of Venmo payment records were accessible through an unsecured API. The API allowed unauthenticated requests, enabling anyone to harvest highly sensitive data without proper authorization.

Impact: The impact of this vulnerability was significant. Not only did it compromise user privacy, but it also exposed transaction details that could be exploited for social engineering attacks. Divorce attorneys, IRS auditors, and malicious actors could potentially misuse this information. Venmo’s API, with its 40 million active users, acted as an unlocked front door to a treasure trove of insights.

3. US Postal Service (USPS)

Background: The United States Postal Service (USPS) faced a significant security issue related to an API flaw that potentially exposed data on 60 million customers (about twice the population of Texas). The flaw was reported by a researcher to USPS more than a year ago, but it wasn’t until security blogger Brian Krebs contacted the organization that any action was taken. The vulnerable API was associated with the USPS’s “Informed Visibility” service, which aimed to provide near real-time tracking data for mail campaigns and packages.

API Vulnerability: The problem lay in an API with inadequate authentication. Users who were logged in could gain unauthenticated access to aspects of the USPS Informed Visibility service. This allowed them to query the system for account details, including email addresses, usernames, user IDs, street addresses, phone numbers, and mailing campaign data for other users. Such information could be exploited by criminals for scamming and targeted phishing purposes. Essentially, the flaw inadvertently shared critical competitive information about businesses’ mail campaign best practices with anyone who stumbled upon it.

Impact: While the USPS API flaw primarily allowed access to customer data, it highlights a widespread lack of focus on API security.

4. Coinbase

Background: Coinbase is a well-known online cryptocurrency exchange platform founded in 2012. It provides users with a platform to trade various cryptocurrencies, including Bitcoin, Ethereum, and Litecoin. With over 73 million registered users and more than $300 billion in quarterly trades, Coinbase’s security is critical due to the nature of transactions on its platform.

API Vulnerability: Recently, a security researcher named “Tree_Of_Alpha” discovered a vulnerability related to Coinbase’s “Advanced Trading” feature. This feature allows users to place orders for selling one type of cryptocurrency and use the funds to buy another. The vulnerability stemmed from a lack of proper basic validation checks in the RESTful API requests used for these transactions.

Impact: The vulnerability posed a significant risk to Coinbase users. An attacker could exploit this flaw to transfer funds from non-existent wallets, potentially leading to financial losses. Fortunately, the researcher responsibly disclosed the issue without causing substantial damage to the ecosystem or other users.

5. Peloton

Background: In May 2021, Peloton, the popular fitness equipment company, faced a security incident related to its APIs. A security researcher and consultant from Pen Test Partners, Jan Masters, discovered that Peloton’s back-end APIs lacked proper authentication. These APIs were used by Peloton exercise equipment and related subscription services to book classes and provide workout statistics. Unfortunately, the lack of authentication allowed unauthorized access to sensitive user data, including user IDs, instructor IDs, group membership, location, weight, gender, and age.

API Vulnerability: The vulnerability stemmed from broken authentication. Prior to remediation, any user or attacker with internet access could query Peloton APIs directly and obtain volumes of personally identifiable information (PII). Unlike some incidents where authentication is weak, Peloton had no authentication in place at all for these APIs. Simply knowing the API endpoint URL allowed anyone to retrieve user data. The flaw mapped directly to OWASP API2:2019 Broken User Authentication.

Impact: The breach exposed sensitive information about Peloton users, potentially leading to privacy violations and identity theft.

Also read: OWASP API Top 10 – Most Common Attacks and How to Prevent Them

6. Instagram

Background: In January 2021, a major data breach occurred when a database of account information at the company Social Arks was exposed due to a misconfigured database. This breach affected approximately 214 million social media accounts, covering 318 million records. The leak was attributed to a misconfigured database that allowed unauthorized access without requiring a password.

API Vulnerability: The vulnerability stemmed from a misconfigured database, which allowed anyone to access the data without proper authentication. The exposed information was not encrypted, making it accessible to anyone who could connect to the database. While web scraping (collecting publicly available data) is not illegal outright, scraping on most social media platforms violates their terms and conditions. Instagram, like other popular social media services, prohibits scraping. In this case, the scraped information included sensitive data from millions of accounts.

Impact: The breach exposed personal information, potentially leading to identity theft or other fraudulent activities. Although account passwords were not compromised, the leak of email addresses and phone numbers raised privacy concerns.

7. T-Mobile

Background: In January 2023, T-Mobile, a major wireless carrier, disclosed a significant data breach that affected approximately 37 million current postpaid and prepaid customer accounts. The breach occurred due to unauthorized access to T-Mobile’s systems through a vulnerable Application Programming Interface (API). The compromised data included customer account details such as names, billing addresses, email addresses, phone numbers, dates of birth, T-Mobile account numbers, and information related to the number of lines on each account and plan features. Fortunately, sensitive information like payment details and passwords was not exposed.

API Vulnerability: The breach resulted from an unidentified malicious actor abusing an API without proper authorization. The specific API allowed access to a limited set of customer account data, excluding sensitive information like payment card details, social security numbers, driver’s license numbers, and passwords. Despite this limitation, the attacker managed to retrieve data from approximately 37 million customer accounts, although not all accounts contained the full data set. The unauthorized activity appears to have started around November 25, 2022.

Impact: While the breach did not directly jeopardize customer accounts and finances, it did expose personal information, potentially leading to identity theft or other fraudulent activities. T-Mobile promptly detected and contained the breach within a day of discovering the malicious activity. The company has also notified federal agencies and is cooperating with law enforcement.

8. Optus

Background: In September 2022, Optus, a major Australian telecommunications company, suffered a significant data breach in which as many as 10 million customer accounts were exposed. The breach raised concerns about data security and privacy. Conflicting claims emerged regarding the cause of the breach, with Optus presenting it as a complex attack on its systems, while an Optus insider and the Australian Government attributed it to human error that led to a vulnerability in the company’s Application Programming Interface (API).

API Vulnerability: The breach occurred through an unprotected and publicly exposed API. Surprisingly, this API did not require user authentication before facilitating a connection. Essentially, anyone who discovered the API on the internet could connect to it without submitting a username or password.

Impact: The impact of the Optus data breach was significant. Up to 10 million customer accounts were potentially compromised, exposing personal information such as names, addresses, and other sensitive details. While the alleged attacker initially demanded a ransom of A$1.5 million to prevent the data from being sold online, they later backed down and claimed to have deleted the data.

9. Experian

Background: In April 2021, Experian, one of the big three consumer credit bureaus, faced a significant security issue related to its Application Programming Interface (API). The vulnerability allowed anyone to look up the credit scores of tens of millions of Americans by simply providing their name and mailing address. This flaw was discovered by Bill Demirkapi, an independent security researcher, while he was exploring student loan vendors online. The API in question was used by lenders to automate queries for FICO credit scores from Experian. Unfortunately, the API could be accessed directly without any authentication, posing a serious risk to consumer data.

API Vulnerability: The Experian API vulnerability stemmed from weak authentication and security misconfiguration. Specifically, the API lacked proper authentication mechanisms, allowing unauthorized access. Additionally, excessive data exposure occurred because the API could be queried with publicly available information, such as a person’s name and address. This flaw enabled attackers to pull credit scores without proper authorization.

Impact: The impact of this vulnerability was significant. Tens of millions of Americans had their credit scores exposed, leaving them vulnerable to fraud and identity theft. Experian customers’ personal information was at risk due to this API leakage.

10. Dropbox

Background: In May 2024, Dropbox experienced a significant security breach that impacted its Dropbox Sign service. Dropbox Sign is an “eSignature solution” that allows users to send, sign, and store important documents within the Dropbox platform. Unfortunately, unknown, and unauthorized entities gained access to customer data related to all users of Dropbox Sign. This included emails, usernames, and general account settings. The incident raised concerns about the security practices surrounding this service.

API Vulnerability: The breach occurred due to a vulnerability in Dropbox Sign’s API. The threat actor accessed not only user data but also certain authentication information. For subsets of users, the attacker obtained phone numbers, hashed passwords, API keys, OAuth tokens, and multi-factor authentication details. Additionally, third parties who had received or signed a document through Dropbox Sign (without creating an account) had their email addresses and names exposed. The api vulnerability stemmed from an automated system configuration tool within Dropbox Sign, which the attacker exploited.

Impact: Thankfully, there’s no evidence that the attacker accessed the contents of users’ accounts or payment information. However, the breach highlighted the importance of robust API security practices. Dropbox Sign’s infrastructure is largely separate from other Dropbox services, which may have limited the impact on other products.

Key Lessons and Takeaways

Based on these 10 examples of high-profile API breaches, it’s clear that APIs have become a significant attack vector that organizations cannot afford to overlook. While APIs provide important functionality and connectivity between systems, if not properly secured, they can expose sensitive data and systems to malicious actors. The following are key lessons and takeaways to learn from these incidents.

What is an API vulnerability?

An API vulnerability is a weakness in an API’s design, implementation, or deployment that can be exploited by malicious actors. These vulnerabilities can take many forms, such as:

• Broken Authentication and Authorization: Weak authentication mechanisms (e.g., basic authentication with static passwords) or improper authorization controls (e.g., giving too much access to users) can allow unauthorized access to sensitive data or functionalities.
• Injection Flaws: Improper data validation can lead to injection attacks (e.g., SQL injection), where attackers can inject malicious code to steal data or manipulate the application.
• Broken Object Level Authorization: APIs might not properly restrict access to specific data objects within the system, allowing attackers to access data they shouldn’t.

The complete list of common API vulnerabilities is mentioned in the OWASP Top 10 API Security Risks – 2023

How can we safeguard our API from hackers?

Here are some crucial steps to secure your API:

• Implement Strong Authentication and Authorization: Use multi-factor authentication and implement role-based access controls (RBAC) to ensure only authorized users can access specific functionalities.
• Validate and Sanitize all Inputs: Rigorously validate all data coming into your API to prevent injection attacks.
• Encrypt Data at Rest and in Transit: Use strong encryption protocols (e.g., HTTPS) to protect data confidentiality.
• Monitor and Log API Activity: Continuously monitor API activity for suspicious behavior and log all access attempts for forensic analysis.
• Regular Penetration Testing: Conduct regular penetration testing to identify and address vulnerabilities before attackers exploit them.

To learn more about API attacks from the hacker’s perspective as well as ways to mitigate these, we recommend reading the book, Hacking APIs by Corey Ball.

What are the consequences of an API breach?

A compromised API can have devastating consequences, including:

• Data Breaches: Attackers can steal sensitive data like customer information, financial records, or intellectual property.
• Account Takeovers: Attackers can exploit vulnerabilities to gain access to user accounts and potentially take them over.
• Reputational Damage: A security breach can severely damage your brand reputation and erode customer trust.

The financial and legal repercussions of an API breach can be significant.

What are some best practices for API security?

• Secure by Design: API security should be considered throughout the entire development lifecycle, not as an afterthought.
• Adopt a DevSecOps Approach: Integrate security practices into the development and operations processes.
• Document your API: Create clear and concise API documentation that outlines security considerations and usage guidelines. We recommend checking out the OpenAPI Initiative for resources on how to document security schemes within your API specifications.
• Stay Updated on Threats: Regularly assess your API security posture and keep your systems patched with the latest security updates.

How can we stay updated on the latest API security threats?

• Subscribe to Security Newsletters and Forums: Stay informed about the latest API security threats and vulnerabilities.
• Attend Security Conferences and Webinars: Actively participate in the cybersecurity community and learn from industry experts.
• Utilize Threat Intelligence Feeds: Leverage threat intelligence feeds to gain insights into emerging threats targeting APIs.

To stay up to date with the latest threats, we recommend going to NIST’s National Vulnerability Database.

By following these security best practices and staying vigilant, you can significantly reduce the risk of an API breach and protect your valuable data and functionalities. Remember, API security is an ongoing process, not a one-time fix. Consistent monitoring, updates, and education are key to maintaining a robust API security posture.

Conclusion

In conclusion, these 10 examples of API vulnerabilities highlight the critical need for secure and robust API design, implementation, and maintenance in modern software development. As APIs become increasingly important for data exchange, authentication, and authorization, they also present a growing attack surface for malicious actors. The consequences of API vulnerability breaches can be severe, ranging from financial losses to privacy violations and identity theft. Developers, security professionals, and organizations must prioritize API security by implementing proper authentication, encryption, rate limiting, and regular vulnerability testing to minimize the risk of exploitation. By doing so, we can better protect sensitive information, maintain trust with our users, and ensure the integrity of our digital ecosystems.