Issue 90: Twitter API data security incident, skimmers and Google Analytics API 💳

HTTP headers can play an important role in API security, like the case with Twitter API shows. The header  cache-control:no-store  had not been set on the API, which meant that the data that this API returned to the web page was stored in the browser cache.

Unfortunately, this particular API was for Twitter’s advertisers’ portal ads.twitter.com and their analytics.twitter.com site, and the returned data did include sensitive billing information. The flaw could not be exploited remotely, but someone with a physical access to the computer a user used could gain access to the information, meaning that Twitter still had to classify this as a Data Security Incident.

Twitter has since fixed this vulnerability.

Attackers use skimmers on e-commerce sites to inject their code (for example, JavaScript) to intercept credit card information on purchases. This is the first leg of the journey: attackers still need a way to ship that stolen data to their servers, and lots of sites are using Content Security Policy (CSP) to prevent that. With CSP, site owners effectively prohibit any API calls outside of their own. Sounds good, right?

Unfortunately, as Amir Shaked from PerimeterX demonstrates, CSP is not really compatible with Google Analytics APIs. Google Analytics is widely used on websites to gather statistics and data for business decisions, and thus its domain is typically placed in the allowlist of the CSP.

In a way, this opens a backdoor (or open window, as Shaked puts it) to CSP. All attackers need to do to get that stolen data from the skimmer is to just call Google Analytics APIs and ship the data to their Google Analytics account. The domain of this call is identical to any other Google Analytics call, only the tag parameter is different. This it not enough for CSP to use as a discriminator, so the call sails through no problem.

This is a cautionary tale to keep in mind whenever a multitenant 3rd-party API is in use.

Neil Madden has just finished his book “API Security in Action”, published by Manning. This was one of the books in their early access program (MEAP) that allowed readers to get it chapter by chapter as released by the author. Now you can get full content, and pre-order your hard-copy if you want.

Here’s the quick abstract of the book:

“API Security in Action shows you how to create secure web APIs that you can confidently share with your business partners and expose for public usage. Security expert Neil Madden takes you under the hood of modern API security concepts, including token-based authentication for flexible multi-user security, bootstrapping a secure environment in a Kubernetes microservices architecture, and using lightweight cryptography to secure an IoT device.”

Madden goes into great detail about different authentication mechanisms used in REST APIs and also covers modern API-based architectures, including microservice and IoT deployments.

As a cherry on top, you can get 42% off the list price when you use the coupon code 42Crunch40 at checkout!

Live, practical demos are always exciting. Katie Paxton-Fear has posted a recording of her live API Hacking Demo that is definitely worth checking out.

In her demo, she uses Burp to discover APIs on a server, enumerates paths, discovers IDOR/BOLA vulnerabilities, takes over an account, and concludes by escalating her privileges.

To provide practical examples, Paxton-Fear also shows what these bugs look like in her sample application code.