APIsecurity.io - APISecurity.io Newsletter: Issue 158

The Latest API Security News, Vulnerabilities and Best Practices
Issue: #158
Data of 400 000 students exposed, 1 million sites affected by plugin vulnerabilities, views on GraphQL

This week, we have news on a breach affecting 400 000 users of a popular German school app, and another vulnerability in a popular WordPress plugin. In addition, there’s a thought-provoking opinion piece on the value of GraphQL on public interfaces, and an article featuring nine useful API testing tools.

Breach: Sensitive data of 400 000 German students exposed by API flaw
 

Last week, the news broke of a breach on a popular German student community app, Scoolio, discovered by security researcher Lilith Wittmann. Conservative estimates put the number of affected students to 400 000 students, but how Scoolio creates user accounts throws some uncertainty to the exact figure here.

Wittman describes (in German) how she was able to exploit the Scoolio API to retrieve sensitive user data, such as:

  • User nicknames
  • User and parent email addresses
  • GPS location of last app use
  • Name of school and class
  • Personality traits like origin, religion, sexuality

Below shows an example of the type of user information leaked:

Article1-3

It took the developers of Scoolio just over a month to deploy a fix for the issue, but they were gracious enough to publicly thank Wittman for her responsible disclosure.

The precise nature of the vulnerability was not disclosed, but it would appear that this may be an example of API1:2019 — Broken object level authorization, based on the UUIDs of accounts.

Vulnerability: OptinMonster WordPress plugin affects 1 million sites
 

Another week, another vulnerability affecting users of WordPress, this time in a popular marketing plugin called OptinMonster. The vulnerability is similar to previous plugin vulnerabilities we have seen: API endpoints exposed by the plugin were not properly secured, allowing an attacker to compromise the deployment.

The vulnerability was discovered by the Wordfence team, who swiftly moved swiftly to protect their affected customers, and advised OptinMonster, who responded equally swiftly and patched the issue in version 2.6.5 of the plugin.

It turned out that many of the REST API endpoints were not securely implemented, which allowed attackers multiple pathways to access an affected installation. The most serious was the endpoint /wp-json/omapp/v1/support which actually disclosed an API key used to make requests to the OptinMonster website. An attacker could easily use this API key to make changes to any campaigns associated with it, including potentially embedding dangerous JavaScript code.

As we have seen with similar plugin vulnerabilities in WordPress, it tends to originate in how the permissions_callback method is implemented. WordPress core triggers this callback to allow the plugin to validate the API request, typically by performing checks on the authentication and authorization of the caller. Unfortunately, the implementation in the OptinMonster case left a lot to be desired, as there was no attempt at checking the caller’s permissions. All that was required was that the caller was logged in and had a valid API key! A good example of API5:2019 — Broken function level authorization.

Article2-3

The key takeaway here is for API developers to ensure that all API callers are fully authorized for the API endpoints being called.

Opinion: GraphQL is not meant to be exposed over the internet
 

Previously, we have featured Jens Neuse’s view on hardening and securing GraphQL implementations. This week, he is back discussing GraphQL in a provocative article that suggests that GraphQL should not be exposed over the internet!

According to Neuse, in many cases GraphQL is an unnecessary indulgence that is not required from a technical perspective and adds to risk exposure. Typically the benefits of GraphQL only manifest for the so-called ‘unicorns’ like Facebook and GitHub. Neuse’s advice is to consider if you really need GraphQL at all.

Neuse recommends that a security review of risks should be conducted if GraphQL be used at all, paying special attention to the following:

  • How secure are the libraries upon which your endpoint is built?
  • Do you understand how they work and what limitations they may have?
  • Are you inadvertently exposing your API even if you disable the visual GraphQL playground?
  • Are you enabling the introspection query which could leak sensitive information like the underlying data schema?
  • Are you aware of schema traversal attacks?

Anyone considering a GraphQL implementation would do well to read and understand this article, as well as its prequel. As Neuse concludes with tongue firmly in cheek:

If you want to be 100% safe, you should consider unplugging the network cable. However, this comes with some inconvenient drawbacks.”

Guide: Nine online API testing tools
 

Last but not least this week is a quick read from Idowu Omisola on nine online API testing tools.

The article covers some of the industry-standard tools, such as Postman and Swagger Inspector, but also features some lesser-known tools like the excellent Paw for MacOS users and the updated Fiddler Everywhere from Telerik.

All in all, a useful guide for any API tester or hacker.

 
ColinD

 

 

Colin Domoney

ApiSecurity.io

 
Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

 
42Crunch, Inc.   95 Third Street  2nd Floor  San Francisco  CA   94103   United States
You received this email because you are subscribed to API Security News from 42Crunch, Inc..

Update your email preferences to choose the types of emails you receive or Unsubscribe from all future emails  
 
 

Older messages

APISecurity.io Newsletter: Issue 157

Thursday, October 28, 2021

Hi, this week, we have details of a potential vulnerability in existing Prometheus installations, a tool to map their API attack surface APIsecurity.io The Latest API Security News, Vulnerabilities and

APISecurity.io Newsletter: Issue 156

Thursday, October 21, 2021

Hi, this week we have a report from Alissa Knight on Fast Healthcare Interoperability and Resources APIs being vulnerable to abuse APIsecurity.io The Latest API Security News, Vulnerabilities and Best

APISecurity.io Newsletter: Issue 155

Thursday, October 14, 2021

Hi, this week, we have a vulnerability in the BrewDog mobile app exposing users' PII, Cisco has announced the arrival of their APIClarity APIsecurity.io The Latest API Security News,

APISecurity.io Newsletter: Issue 154

Thursday, October 7, 2021

Hi, this week, we have a viewpoint on what security officers can do to address API security. There's also a report from IBM. APIsecurity.io The Latest API Security News, Vulnerabilities and Best

APISecurity.io Newsletter: Issue 153

Thursday, September 30, 2021

Hi, this week, we have an article on how API proliferation is opening up security holes, another vulnerability in WordPress REST API, again through a third-party plugin. In addition, we look into the

You Might Also Like

Charted | Global Economic Confidence in 2025, by Country 🌎

Wednesday, December 25, 2024

While emerging markets in Asia have the strongest confidence in the global economy looking ahead, European countries are most pessimistic. View Online | Subscribe | Download Our App FEATURED STORY

Top Tech Deals 🎅 Sony Headphones, iPhone Cases, 4K Projector, and More!

Wednesday, December 25, 2024

The season of giving is upon us. How-To Geek Logo December 25, 2024 Top Tech Deals: Sony Headphones, iPhone Cases, 4K Projector, and More! The season of giving is upon us. Happy Holidays! If you're

Why the Race to AGI is Humanitys Defining Moment

Wednesday, December 25, 2024

Top Tech Content sent at Noon! Boost Your Article on HackerNoon for $159.99! Read this email in your browser How are you, @newsletterest1? 🪐 What's happening in tech today, December 25, 2024? The

Iran's Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware

Wednesday, December 25, 2024

THN Daily Updates Newsletter cover The Data Science Handbook, 2nd Edition ($60.00 Value) FREE for a Limited Time Practical, accessible guide to becoming a data scientist, updated to include the latest

Software Testing Weekly - Issue 251

Wednesday, December 25, 2024

GitHub Copilot is free! 🤖 View on the Web Archives ISSUE 251 December 25th 2024 COMMENT Welcome to the 251st issue! In case you missed it — GitHub Copilot is free! The free version works with Visual

Daily Coding Problem: Problem #1647 [Medium]

Tuesday, December 24, 2024

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Square. In front of you is a row of N coins, with values v 1 , v 1 , ..., v n . You are

Sentiment Analysis, Topological Sort, Web Security, and More

Tuesday, December 24, 2024

Exploring Modern Sentiment Analysis Approaches in Python #661 – DECEMBER 24, 2024 VIEW IN BROWSER The PyCoder's Weekly Logo Exploring Modern Sentiment Analysis Approaches in Python What are the

🤫 Do Not Disturb Mode Is My Secret to Sanity — 8 Gadgets I Want To See Nintendo Make

Tuesday, December 24, 2024

Also: The Best Christmas Movies to Watch on Netflix, and More! How-To Geek Logo December 24, 2024 Did You Know Their association with the Christmas season might make you think poinsettias hail from a

😱 AzureEdge.net DNS Retiring Jan. 2025, 🚀 Microsoft Phi-4 AI Outperforms, 🔒 Microsoft Secure Future Initiative

Tuesday, December 24, 2024

Blog | Advertise | View Online Your trusted source for Cloud, AI and DevOps guidance with industry expert Chris Pietschmann! Phi-4: Microsoft's New Small Language Model Outperforms Giants in AI

Mapped | The Top Health Insurance Companies by State 🏥

Tuesday, December 24, 2024

In 13 US states, a single company dominates the health insurance market, holding at least half of the total market share. View Online | Subscribe | Download Our App Presented by: Global X ETFs Power