APIsecurity.io - APISecurity.io Newsletter: Issue 156

The Latest API Security News, Vulnerabilities and Best Practices
Issue: #156
FHIR APIs vulnerable to abuse, 3D printers facing hijacking risk, API security webinar

This week, we have a vulnerability report from Alissa Knight on Fast Healthcare Interoperability and Resources (FHIR) APIs being potentially vulnerable to abuse, and more details on how the breach at MakerBot’s Thingiverse 3D printing repository website could lead to hijacking users’ 3D printers.

In addition, there’s an article summing up the increasing numbers of API attacks and breaches, and an upcoming Kuppinger Cole webinar on continuous API security.

Vulnerability: FHIR APIs vulnerable to abuse
 

This week saw the release of cybersecurity researcher Alissa Knight’s latest research into FHIR APIs and the mobile apps that access them.

The key finding is that although the APIs themselves are well-secured, there were serious shortcomings detected in the downstream mobile apps that consume the APIs. Knight concluded that these weaknesses in the “last mile” could seriously compromise both personally identifiable information (PII) and protected health information (PHI) of users. One app allowed accessing a whopping 4 million patient and clinician records when logged into as a single patient!

For the most part, Knight was able to compromise the systems using relatively simple techniques, leading to the conclusion that greater controls should be imposed on developers consuming these APIs. For API security practitioners, the recommendations for app developers are of most interest and include:

  • Don’t rely on the obfuscation of mobile app code to ensure security , but rather employ run-time shielding to prevent tampering with the app. In essence, both the app and the device should be authenticated on each API call.
  • Set up an attestation process for the app, the user, and the device to ensure that only known apps running in secure environments can access the APIs and the sensitive info behind them.
  • Ensure that mobile apps use certificate pinning to eliminate person-in-the-middle attacks.
  • Third-party app developers need to shift security left and shield right — many APIs appeared to be undefended.

Specific recommendations were made for the FIHR API owners:

  • Implement an API threat management solution.
  • Use penetration testers specializing in API.
  • Inventory all your APIs to ensure complete coverage with security controls.
Breach: 3D printers face hijacking risk
 

Further details have emerged this week on the recent website breach at the 3D printer manufacturer MakerBot. A leaked MySQL database was discovered on an AWS S3 bucket, containing not only users’ PII information but also — critically in some cases — OAuth tokens that could lead to a total takeover of the associated printers.

Article2-2

The further context came when a former MakerBot software developer, TJ Horner, disclosed on Twitter that up to 2 million users could have been impacted and that the OAuth tokens leaked were s0-called “God-tokens” that allowed full device access. In addition, the tokens were permanent (so no expiration to save you) and irrevocable (meaning that end-users themselves could not revoke them). The manufacturer contradicted these claims saying that only a “handful (less than 500) of real user data” were affected.

From an API security perspective, there are several lessons here:

  • Tokens are valuable assets and should be adequately protected at rest, rather than left unencrypted in a database. Even a simple column-level database protection mechanism could have prevented the disclosure of the OAuth tokens in this case.
  • As the privileges of tokens increase, so does the impact of breaches. Avoid using tokens with excessive privileges: wherever possible, use tokens with fine-grained privileges, not “God-tokens“.
  • Always impose an expiration window on tokens to reduce the long-term impacts of a possible breach.
  • Provide users a method to revoke any and all tokens associated with their accounts or devices.
Article: API attacks, breaches piling up
 

Illustrating the urgency of improving API security is the article this week on Data Center Knowledge revealing the extent of API attacks and breaches in 2021. The highlight is that only 6% percent of companies surveyed reported no API-related security incident in the past year. Mind boggles!

Readers of this newsletter will be familiar with some of the higher-profile breaches mentioned in the article, such as:

Webinar: Why continuous API security is key to protecting your digital business
 

On Thursday 21 October, 2021, Kuppinger Cole’s lead analyst Alexei Balaganski is hosting 42Crunch co-founder and field CTO Isabelle Mauny as they discuss a new approach to ensuring continuous API security: using a shift left and shield right approach.

The webinar will cover the following:

  • Understand why API security is key to protecting your digital business.
  • Learn what is a best practice approach to achieve continuous API security.
  • Find out why dedicated API security is needed in addition to traditional AppSec technologies.
  • Discover how a leading global manufacturer is automating and scaling API security.

Click here to register and reserve your spot.

Article3-3

 

 
ColinD

 

 

Colin Domoney

ApiSecurity.io

 
Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

 
42Crunch, Inc.   95 Third Street  2nd Floor  San Francisco  CA   94103   United States
You received this email because you are subscribed to API Security News from 42Crunch, Inc..

Update your email preferences to choose the types of emails you receive or Unsubscribe from all future emails  
 
 

Older messages

APISecurity.io Newsletter: Issue 155

Thursday, October 14, 2021

Hi, this week, we have a vulnerability in the BrewDog mobile app exposing users' PII, Cisco has announced the arrival of their APIClarity APIsecurity.io The Latest API Security News,

APISecurity.io Newsletter: Issue 154

Thursday, October 7, 2021

Hi, this week, we have a viewpoint on what security officers can do to address API security. There's also a report from IBM. APIsecurity.io The Latest API Security News, Vulnerabilities and Best

APISecurity.io Newsletter: Issue 153

Thursday, September 30, 2021

Hi, this week, we have an article on how API proliferation is opening up security holes, another vulnerability in WordPress REST API, again through a third-party plugin. In addition, we look into the

APISecurity.io Newsletter: Issue 152

Thursday, September 23, 2021

Hi, this week, we have a breach involving exposed API keys for payment integration, leaked API tokens on Travis CI. APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue

APISecurity.io Newsletter: Issue 151

Thursday, September 16, 2021

Hi, this week, we have details on the security patch in WordPress 5.8.1 fixing an issue on the REST API, a report on the rise of botnet attack APIsecurity.io The Latest API Security News,

You Might Also Like

Charted | Global Economic Confidence in 2025, by Country 🌎

Wednesday, December 25, 2024

While emerging markets in Asia have the strongest confidence in the global economy looking ahead, European countries are most pessimistic. View Online | Subscribe | Download Our App FEATURED STORY

Top Tech Deals 🎅 Sony Headphones, iPhone Cases, 4K Projector, and More!

Wednesday, December 25, 2024

The season of giving is upon us. How-To Geek Logo December 25, 2024 Top Tech Deals: Sony Headphones, iPhone Cases, 4K Projector, and More! The season of giving is upon us. Happy Holidays! If you're

Why the Race to AGI is Humanitys Defining Moment

Wednesday, December 25, 2024

Top Tech Content sent at Noon! Boost Your Article on HackerNoon for $159.99! Read this email in your browser How are you, @newsletterest1? 🪐 What's happening in tech today, December 25, 2024? The

Iran's Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware

Wednesday, December 25, 2024

THN Daily Updates Newsletter cover The Data Science Handbook, 2nd Edition ($60.00 Value) FREE for a Limited Time Practical, accessible guide to becoming a data scientist, updated to include the latest

Software Testing Weekly - Issue 251

Wednesday, December 25, 2024

GitHub Copilot is free! 🤖 View on the Web Archives ISSUE 251 December 25th 2024 COMMENT Welcome to the 251st issue! In case you missed it — GitHub Copilot is free! The free version works with Visual

Daily Coding Problem: Problem #1647 [Medium]

Tuesday, December 24, 2024

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Square. In front of you is a row of N coins, with values v 1 , v 1 , ..., v n . You are

Sentiment Analysis, Topological Sort, Web Security, and More

Tuesday, December 24, 2024

Exploring Modern Sentiment Analysis Approaches in Python #661 – DECEMBER 24, 2024 VIEW IN BROWSER The PyCoder's Weekly Logo Exploring Modern Sentiment Analysis Approaches in Python What are the

🤫 Do Not Disturb Mode Is My Secret to Sanity — 8 Gadgets I Want To See Nintendo Make

Tuesday, December 24, 2024

Also: The Best Christmas Movies to Watch on Netflix, and More! How-To Geek Logo December 24, 2024 Did You Know Their association with the Christmas season might make you think poinsettias hail from a

😱 AzureEdge.net DNS Retiring Jan. 2025, 🚀 Microsoft Phi-4 AI Outperforms, 🔒 Microsoft Secure Future Initiative

Tuesday, December 24, 2024

Blog | Advertise | View Online Your trusted source for Cloud, AI and DevOps guidance with industry expert Chris Pietschmann! Phi-4: Microsoft's New Small Language Model Outperforms Giants in AI

Mapped | The Top Health Insurance Companies by State 🏥

Tuesday, December 24, 2024

In 13 US states, a single company dominates the health insurance market, holding at least half of the total market share. View Online | Subscribe | Download Our App Presented by: Global X ETFs Power