1. Home
  2. Discover
  3. Technology
  4. APIsecurity.io

Issue 89: Starbucks API flaw exposes almost 100 million customer accounts ☕
The Latest API Security News, Vulnerabilities and Best Practices
Issue: #89
Starbucks API flaw exposes almost 100 million customer accounts
This week, we have the recent API vulnerabilities at Starbucks and in Drupal, a set of open-source tools by the Spanish bank Banco Bilbao Vizcaya Argentaria (BBVA), and extensions to Microsoft platform for integrating API security throughout it all.
Vulnerability: Starbucks
 

Sam Curry found an API vulnerability at Starbucks that exposed almost 100 million customer records. In his detailed write-up, Curry walks us through how he went about finding the issue:

  1. He found that the web page for buying gift cards used a REST API behind the scenes.
  2. He noticed that the API was actually acting as a proxy and routing calls to internal backend APIs.
  3. He found a combination of \.. and \. segments that fooled the web application firewall (WAF) rules and allowed him to traverse API paths.
  4. He and Justin Gardner then used Burp Intruder and a dictionary list to discover the available endpoints.
  5. He located /search/v1/accounts,  a Microsoft Graph endpoint that gave him access to the records of almost 100 million Starbucks customers.

Starbucks has already fixed this vulnerability. Curry’s entertaining post provides not only the details of the vulnerability itself, but also a brilliant account on how a researcher approaches finding one.
Vulnerability: Drupal
 

Drupal has just fixed a Cross Site Request Forgery (CSRF) vulnerability in one of its Forms APIs . The vulnerability was found by internal Drupal team members so the details are scant:

The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.

If you need a refresher on CSRF itself, check out this video by Tom Scott:
Tools: BBVA APICheck
 

The Spanish bank BBVA has Innovation Security Labs team which maintains a set of open-source API Security tools called APICheck.

The toolset includes, for example:

  • Replay HTTP requests
  • acurl
  • APICheck proxy
  • JWT token validator (just released)
  • Sensitive data detector
  • Send data to a proxy server

For more details on the toolset, check out its documentation.
Tools: API security extensions for VS Code, Azure DevOps, Azure Kubernetes Services
 

Microsoft Channel 9 has posted a video of Abel Wang and Dmitry Sotnikov (me :)) talking about API security within the whole Microsoft platform. We cover different API security scenarios and show hands-on demos of the API security extensions for:

  • Visual Studio Code (VS Code)
  • Azure DevOps pipelines (Azure Pipelines)
  • Azure Kubernetes Service (AKS)
 
dmitry_apisec-1  

Dmitry Sotnikov

APIsecurity.io
 
Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

 
42Crunch Ltd   71-75 Shelton Street  Covent Garden  London  Greater London   WC2H 9JQ   United Kingdom
You received this email because you are subscribed to API Security News from 42Crunch Ltd.

Update your to choose the types of emails you receive or   
 
 

Older messages

Issue 88: JWT pentesting, API discovery, the present and future of OpenAPI 🔭

Thursday, June 18, 2020

Hi, this week we have a new JWT security toolkit, video on API discovery, new ebook and APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #88 JWT pentesting, API

Issue 87: Vulnerabilities in Digilocker, Facebook, VMware Cloud Director 🌩️

Thursday, June 11, 2020

Hi, this week we have a video on API recon and details of 3 recent API vulnerabilities APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #87 Vulnerabilities in

Issue 86: Vulnerabilities in Sign in with Apple 📱, Qatar’s COVID19 app, GitLab

Thursday, June 4, 2020

Hi, this week we look at the 3 recent API vulnerabilities and a new Burp plugin APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #86 Vulnerabilities in Sign in

Issue 85: Vulnerability in Google Cloud Deployment Manager ⛅, a pentester’s guide to OAuth 🌩️

Thursday, May 28, 2020

Hi, this week we have a Gartner report, API Security Q&A panel, OAuth pentesting guide APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #85 Vulnerability in

Issue 84: Unprotected APIs at Google Firebase, leaky Arkansas PUA portal💦

Thursday, May 21, 2020

Hi, this week we look at a couple recent API leaks, a new pentesting tool, and webinars APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #84 Unprotected APIs at

You Might Also Like

🎮 5 Cheap Apple AirPlay Receiver Alternatives — Your Game Controllers Need Firmware Updates Too

Tuesday, January 7, 2025

Also: The Best Free Offline Music Player Apps For Android How-To Geek Logo January 7, 2025 Did You Know It's a common practice in Japan to package toys with a single cheap piece of candy in order

Daily Coding Problem: Problem #1661 [Medium]

Tuesday, January 7, 2025

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Triplebyte. Implement a data structure which carries out the following operations

DRF, Temp Files, Dataclasses, and More

Tuesday, January 7, 2025

Building HTTP APIs With Django REST Framework #663 – JANUARY 7, 2025 VIEW IN BROWSER The PyCoder's Weekly Logo Building HTTP APIs With Django REST Framework This course will get you ready to build

Charted | The Pyramid of S&P 500 Returns (1874-2024) 💰

Tuesday, January 7, 2025

In 2024, the S&P 500 surged 23%, setting a series of record highs. We show these returns in a historical context spanning 150 years. View Online | Subscribe | Download Our App Presented by: Global

LW 164 - How to create new arrivals collection in Shopify using Shopify Flow    

Tuesday, January 7, 2025

How to create new arrivals collection in Shopify using Shopify Flow ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ Shopify Development news and

Tic-Tac-D’Oh 💻

Tuesday, January 7, 2025

The latest from the dull side of the internet. Here's a version for your browser. Hunting for the end of the long tail • January 07, 2025 Tic-Tac-D'Oh Dell decides to rebrand its machines along

Spyglass Dispatch: CaptAIn AmerIca...

Tuesday, January 7, 2025

Hulu, Fubo, Venu • NVIDIA's Cosmos • NVIDIA's DIGITS • Meta's Board Addition • Meta's Fact-Checking Subtraction • Dude, You're Getting a Dell Pro Max Premium The Spyglass Dispatch

DeveloPassion's Newsletter #183 - Knowledge Management for All

Tuesday, January 7, 2025

A newsletter discussing Knowledge Management, Knowledge Work, Zen Productivity, Personal Organization, and more! Sébastien Dubois DeveloPassion's Newsletter DeveloPassion's Newsletter #183 -

CES 2025 ICYMI: 8 top reveals so far

Tuesday, January 7, 2025

Bluesky's most-needed feature; A mulching robot mower; Linux man pages -- ZDNET ZDNET Tech Today - US January 7, 2025 ces55gettyimages-2191705850 CES 2025: ZDNET's 8 most impressive products we

Post from Syncfusion Blogs on 01/07/2025

Tuesday, January 7, 2025

New blogs from Syncfusion Introducing the New Blazor Chat UI Component By Silambarasan Ilango Enhance real-time communication with the Blazor Chat UI. Discover its features and use cases for creating