APIsecurity.io - APISecurity.io Newsletter: Issue 156

This week saw the release of cybersecurity researcher Alissa Knight’s latest research into FHIR APIs and the mobile apps that access them.

The key finding is that although the APIs themselves are well-secured, there were serious shortcomings detected in the downstream mobile apps that consume the APIs. Knight concluded that these weaknesses in the “last mile” could seriously compromise both personally identifiable information (PII) and protected health information (PHI) of users. One app allowed accessing a whopping 4 million patient and clinician records when logged into as a single patient!

For the most part, Knight was able to compromise the systems using relatively simple techniques, leading to the conclusion that greater controls should be imposed on developers consuming these APIs. For API security practitioners, the recommendations for app developers are of most interest and include:

• Don’t rely on the obfuscation of mobile app code to ensure security , but rather employ run-time shielding to prevent tampering with the app. In essence, both the app and the device should be authenticated on each API call.
• Set up an attestation process for the app, the user, and the device to ensure that only known apps running in secure environments can access the APIs and the sensitive info behind them.
• Ensure that mobile apps use certificate pinning to eliminate person-in-the-middle attacks.
• Third-party app developers need to shift security left and shield right — many APIs appeared to be undefended.

Specific recommendations were made for the FIHR API owners:

• Implement an API threat management solution.
• Use penetration testers specializing in API.
• Inventory all your APIs to ensure complete coverage with security controls.

Further details have emerged this week on the recent website breach at the 3D printer manufacturer MakerBot. A leaked MySQL database was discovered on an AWS S3 bucket, containing not only users’ PII information but also — critically in some cases — OAuth tokens that could lead to a total takeover of the associated printers.

The further context came when a former MakerBot software developer, TJ Horner, disclosed on Twitter that up to 2 million users could have been impacted and that the OAuth tokens leaked were s0-called “God-tokens” that allowed full device access. In addition, the tokens were permanent (so no expiration to save you) and irrevocable (meaning that end-users themselves could not revoke them). The manufacturer contradicted these claims saying that only a “handful (less than 500) of real user data” were affected.

From an API security perspective, there are several lessons here:

• Tokens are valuable assets and should be adequately protected at rest, rather than left unencrypted in a database. Even a simple column-level database protection mechanism could have prevented the disclosure of the OAuth tokens in this case.
• As the privileges of tokens increase, so does the impact of breaches. Avoid using tokens with excessive privileges: wherever possible, use tokens with fine-grained privileges, not “God-tokens“.
• Always impose an expiration window on tokens to reduce the long-term impacts of a possible breach.
• Provide users a method to revoke any and all tokens associated with their accounts or devices.

Illustrating the urgency of improving API security is the article this week on Data Center Knowledge revealing the extent of API attacks and breaches in 2021. The highlight is that only 6% percent of companies surveyed reported no API-related security incident in the past year. Mind boggles!

Readers of this newsletter will be familiar with some of the higher-profile breaches mentioned in the article, such as:

• 38 million records exposed via Microsoft Power Apps
• Peleton disclosure of customer account data via APIs
• Equifax and Amazon and PayPal

On Thursday 21 October, 2021, Kuppinger Cole’s lead analyst Alexei Balaganski is hosting 42Crunch co-founder and field CTO Isabelle Mauny as they discuss a new approach to ensuring continuous API security: using a shift left and shield right approach.

The webinar will cover the following:

• Understand why API security is key to protecting your digital business.
• Learn what is a best practice approach to achieve continuous API security.
• Find out why dedicated API security is needed in addition to traditional AppSec technologies.
• Discover how a leading global manufacturer is automating and scaling API security.

Click here to register and reserve your spot.