1. Home
  2. Discover
  3. Technology
  4. APIsecurity.io

Issue 89: Starbucks API flaw exposes almost 100 million customer accounts ☕
The Latest API Security News, Vulnerabilities and Best Practices
Issue: #89
Starbucks API flaw exposes almost 100 million customer accounts
This week, we have the recent API vulnerabilities at Starbucks and in Drupal, a set of open-source tools by the Spanish bank Banco Bilbao Vizcaya Argentaria (BBVA), and extensions to Microsoft platform for integrating API security throughout it all.
Vulnerability: Starbucks
 

Sam Curry found an API vulnerability at Starbucks that exposed almost 100 million customer records. In his detailed write-up, Curry walks us through how he went about finding the issue:

  1. He found that the web page for buying gift cards used a REST API behind the scenes.
  2. He noticed that the API was actually acting as a proxy and routing calls to internal backend APIs.
  3. He found a combination of \.. and \. segments that fooled the web application firewall (WAF) rules and allowed him to traverse API paths.
  4. He and Justin Gardner then used Burp Intruder and a dictionary list to discover the available endpoints.
  5. He located /search/v1/accounts,  a Microsoft Graph endpoint that gave him access to the records of almost 100 million Starbucks customers.

Starbucks has already fixed this vulnerability. Curry’s entertaining post provides not only the details of the vulnerability itself, but also a brilliant account on how a researcher approaches finding one.
Vulnerability: Drupal
 

Drupal has just fixed a Cross Site Request Forgery (CSRF) vulnerability in one of its Forms APIs . The vulnerability was found by internal Drupal team members so the details are scant:

The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.

If you need a refresher on CSRF itself, check out this video by Tom Scott:
Tools: BBVA APICheck
 

The Spanish bank BBVA has Innovation Security Labs team which maintains a set of open-source API Security tools called APICheck.

The toolset includes, for example:

  • Replay HTTP requests
  • acurl
  • APICheck proxy
  • JWT token validator (just released)
  • Sensitive data detector
  • Send data to a proxy server

For more details on the toolset, check out its documentation.
Tools: API security extensions for VS Code, Azure DevOps, Azure Kubernetes Services
 

Microsoft Channel 9 has posted a video of Abel Wang and Dmitry Sotnikov (me :)) talking about API security within the whole Microsoft platform. We cover different API security scenarios and show hands-on demos of the API security extensions for:

  • Visual Studio Code (VS Code)
  • Azure DevOps pipelines (Azure Pipelines)
  • Azure Kubernetes Service (AKS)
 
dmitry_apisec-1  

Dmitry Sotnikov

APIsecurity.io
 
Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

 
42Crunch Ltd   71-75 Shelton Street  Covent Garden  London  Greater London   WC2H 9JQ   United Kingdom
You received this email because you are subscribed to API Security News from 42Crunch Ltd.

Update your to choose the types of emails you receive or   
 
 

Older messages

Issue 88: JWT pentesting, API discovery, the present and future of OpenAPI 🔭

Thursday, June 18, 2020

Hi, this week we have a new JWT security toolkit, video on API discovery, new ebook and APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #88 JWT pentesting, API

Issue 87: Vulnerabilities in Digilocker, Facebook, VMware Cloud Director 🌩️

Thursday, June 11, 2020

Hi, this week we have a video on API recon and details of 3 recent API vulnerabilities APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #87 Vulnerabilities in

Issue 86: Vulnerabilities in Sign in with Apple 📱, Qatar’s COVID19 app, GitLab

Thursday, June 4, 2020

Hi, this week we look at the 3 recent API vulnerabilities and a new Burp plugin APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #86 Vulnerabilities in Sign in

Issue 85: Vulnerability in Google Cloud Deployment Manager ⛅, a pentester’s guide to OAuth 🌩️

Thursday, May 28, 2020

Hi, this week we have a Gartner report, API Security Q&A panel, OAuth pentesting guide APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #85 Vulnerability in

Issue 84: Unprotected APIs at Google Firebase, leaky Arkansas PUA portal💦

Thursday, May 21, 2020

Hi, this week we look at a couple recent API leaks, a new pentesting tool, and webinars APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #84 Unprotected APIs at

You Might Also Like

📧 EF Core Migrations: A Detailed Guide

Saturday, May 18, 2024

​ EF Core Migrations: A Detailed Guide Read on: m​y website / Read time: 10 minutes BROUGHT TO YOU BY ​ Low-code Framework for .NET Devs ​ Introducing Shesha, a brand new, open-source, low-code

Slack is under attack … and you don’t want that

Friday, May 17, 2024

Plus: OpenAI is not aligned with its Superalignment team View this email online in your browser By Christine Hall Friday, May 17, 2024 Good afternoon, and welcome back to TechCrunch PM. We made it to

Ilya Sutskever leaves OpenAI - Weekly News Roundup - Issue #467

Friday, May 17, 2024

Plus: Apple is close to using ChatGPT; Microsoft builds its own LLM; China is sending a humanoid robot to space; lab-grown meat is on shelves but there is a catch; hybrid mouse/rat brains; and more! ͏

SWLW #599: Surfing through trade-offs, How to do hard things, and more.

Friday, May 17, 2024

Weekly articles & videos about people, culture and leadership: everything you need to design the org that makes the product. A weekly newsletter by Oren Ellenbogen with the best content I found

💾 There Will Never Be Another Windows XP — Why Ray Tracing is a Big Deal in Gaming

Friday, May 17, 2024

Also: What to Know About Google's Project Astra, and More! How-To Geek Logo May 17, 2024 Did You Know The very first mass-manufactured drinking straw was made of paper coated in wax; the straw was

It's the dawning of the age of AI

Friday, May 17, 2024

Plus: Musk is raging against the machine View this email online in your browser By Haje Jan Kamps Friday, May 17, 2024 Image Credits: Google Welcome to Startups Weekly — Haje's weekly recap of

Daily Coding Problem: Problem #1444 [Medium]

Friday, May 17, 2024

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Yahoo. Recall that a full binary tree is one in which each node is either a leaf node,

(Not) Sent From My iPad

Friday, May 17, 2024

The future of computing remains frustrating (Not) Sent From My iPad By MG Siegler • 17 May 2024 View in browser View in browser I tried. I really did. I tried to put together and send this newsletter

iOS Dev Weekly - Issue 661

Friday, May 17, 2024

What's the word on everyone's lips? 🅰️👁️ View on the Web Archives ISSUE 661 May 17th 2024 Comment Did you catch Google I/O this week? It's Always Interesting to see what the Android

Your Google Play recap from I/O 2024

Friday, May 17, 2024

Check out all of our latest updates and announcements Email not displaying correctly? View it online May 2024 Google Play at I/O 2024 Check out the Google Play keynote to discover the latest products