APIsecurity.io - APISecurity.io Newsletter: Issue 167

The Latest API Security News, Vulnerabilities and Best Practices
Issue: #167
Uber bug allows spoof emails, partner-facing APIs on the rise, omnichannel APIs increase risk

This week, we have a long-standing vulnerability on a public-facing internal API on Uber, which allowed attackers to spoof emails. In addition, there’s an article by NordicAPIs on the RapidAPI report into the rise on partner-facing APIs, IBM’s views on the API security risk posed by the growth in omnichannel APIs, and finally (another) awesome API security mega guide.

     
Vulnerability: Uber bug allows attackers to spoof emails
 

This week, ThreatPost featured details of a vulnerability on a public-facing internal API on Uber allowing attackers to spoof emails so that they would appear to be from Uber.

Details of the vulnerability were disclosed by a Seekurity security researcher and bug-hunter Seif Elsallamy, who made efforts to disclose details to Uber both directly and by submitting it to HackerOne. However, Uber rejected Elsallamy’s submission out of scope, only it to be later discovered that the issue has previously been reported to Uber as far back as 2015! Elsallamy has since reported that the issue appears to have been finally fixed.

The vulnerability enabled attackers to use a public-facing internal API on Uber to do HTML injection and send emails on behalf of Uber. Users could be tricked into believing that the emails were genuine and potentially perform unsafe actions, such as disclosing financial details or sensitive personal information. Elsallamy showed an example of a proof-of-concept spoof email below:

Article1-Jan-13-2022-07-35-28-33-AM

Uber has previously featured in this newsletter and suffered a large breach in 2016 that lead to the disclosure of 57 million user account details.

The key takeaways here are:

  • Be aware that APIs intended for internal use only may be easily discovered (and exploited) if they are connected to a public-facing network.
  • APIs can inadvertently expose previously latent vulnerabilities in downstream systems — in this case, a backend system was vulnerable to HTML injection.
  • Security-savvy organizations should have a proactive (or at least responsive) manner for dealing with bug and vulnerability reports — here, the same issue had been reported already several times previously but had not been acted upon.
Article: Partner-facing APIs on the rise
 

NordicAPIs has featured an article on the rise of partner-facing APIs on the back of the recently released “State of APIs Developer Survey 2021 Report” from RapidAPI.

The report surveyed 2,200 developers and sampled their views on their experience with APIs, both from the perspective of internal tools to an increasing number of partner-facing APIs. The growth of such partner-facing APIs presents challenges to organizations: as the number of APIs grows, they become increasingly difficult to maintain, not to mention challenges relating to data privacy and security issues.

From a security perspective, two distinct challenges are highlighted:

  1. The primary API testing is focused on acceptance testing, functional testing, and integration testing, but no mention of security testing is made in the survey.
  2. The skills shortage in the software has been exacerbated by the Covid-19 pandemic, and nowhere is this more profound than in software security.

Many organizations are being driven towards enabling partner-facing public APIs whilst being aware that these APIs are not adequately tested from a security perspective, nor do their developers have the requisite experience to fully secure these APIs.

Article: Omnichannel API growth increases API risk
 

IBM SecurityIntelligence has featured an article on the rise of so-called omnichannel APIs and how these are exposing organizations to increased API risk. The well-documented growth of APIs is being driven by three main factors:

  • Multi-device use: Users have multiple devices and APIs are required to provide features and functions on all of them.
  • Microservices: The breakdown of the monolith architecture has led to distributed microservices, with APIs connecting them all.
  • Move to the cloud: Ease of cloud deployment has also increased the rate of software deployment, including APIs.

The report highlights how an omnichannel business strategy is adding further fuel to the fire of API growth. An omnichannel customer experience attempts to ensure that the customer experience remains the same regardless of the medium used, be it a web portal, a desktop app, or a variety of mobile devices. To make this experience seamless, each platform must present a consistent view to the user — and APIs are the connecting fabric that enables this experience.

The article concludes with recommendations how to improve API security, many of which will come as no surprise to readers of this newsletter:

  • Keep an API inventory: It’s impossible to secure what you can’t see.
  • Practice secure coding: All software vulnerabilities have their origin in vulnerabilities in coding.
  • Implement OAuth:  Avoid issues with token secrecy and leaks by using a robust authorization protocol.
  • Implement rate limiting and throttling: Prevent abuse of APIs by limiting the rate of attack.
  • Use an API gateway: Use a gateway as a central point to enforce security policies.
  • Use a service mesh: Leverage the mesh to enforce authentication, access control, and other security measures throughout your services.
  • Adopt Zero Trust: Do not rely on traditional perimeters or trust boundaries.
Guide: Another awesome API security guide
 

Previously, we have featured an excellent API security mega guide and in this issue, we have another comprehensive guide, this time by Reconshell.

The article provides a broad spectrum of API security topics, primarily of interest to attackers but sure to prove useful for developers and defenders. Another case of knowing your enemy.

     
42Crunch APISec EmailTemplate Colin v2
Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

42Crunch APISec EmailTemplate FooterLogo-24
Powered by 42Crunch Logo

 

 
42Crunch Inc.   95 Third Street  2nd Floor  San Francisco  CA   94103   United States
You received this email because you are subscribed to API Security News from 42Crunch Inc..

Update your email preferences to choose the types of emails you receive or Unsubscribe from all future emails  
 
 

Older messages

APISecurity.io Newsletter: Issue 166

Friday, January 7, 2022

Hi, this week, we have a comprehensive article on approaches to securing large API ecosystems, how to create OpenAPI from HTTP traffic APISecurity 42C Email Header 900x128px-26 The Latest API Security

APISecurity.io Newsletter: Issue 165

Thursday, December 23, 2021

Hi, this week, we have news of another high severity vulnerability in a WordPress plugin, this time the popular All in One allowing compromise APISecurity 42C Email Header 900x128px-26 The Latest API

APISecurity.io Newsletter: Issue 164

Friday, December 17, 2021

Hi, this week, we have news on the Log4Shell vulnerability affecting applications and infrastructure using the ubiquitous Log4j library. APISecurity 42C Email Header 900x128px-26 The Latest API

APISecurity.io Newsletter: Issue 163

Thursday, December 9, 2021

Hi, this week, we have an article on seven reasons why API security strategies are failing, details on the recent keynote by Werner Vogels. APISecurity 42C Email Header 900x128px-26 The Latest API

APISecurity.io Newsletter: Issue 162

Thursday, December 2, 2021

Hi, this week, we have details of compromised Google Cloud accounts being used to mine cryptocurrency (with weak or no passwords on APIs) APISecurity 42C Email Header 900x128px-26 The Latest API

You Might Also Like

Charted | Global Economic Confidence in 2025, by Country 🌎

Wednesday, December 25, 2024

While emerging markets in Asia have the strongest confidence in the global economy looking ahead, European countries are most pessimistic. View Online | Subscribe | Download Our App FEATURED STORY

Top Tech Deals 🎅 Sony Headphones, iPhone Cases, 4K Projector, and More!

Wednesday, December 25, 2024

The season of giving is upon us. How-To Geek Logo December 25, 2024 Top Tech Deals: Sony Headphones, iPhone Cases, 4K Projector, and More! The season of giving is upon us. Happy Holidays! If you're

Why the Race to AGI is Humanitys Defining Moment

Wednesday, December 25, 2024

Top Tech Content sent at Noon! Boost Your Article on HackerNoon for $159.99! Read this email in your browser How are you, @newsletterest1? 🪐 What's happening in tech today, December 25, 2024? The

Iran's Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware

Wednesday, December 25, 2024

THN Daily Updates Newsletter cover The Data Science Handbook, 2nd Edition ($60.00 Value) FREE for a Limited Time Practical, accessible guide to becoming a data scientist, updated to include the latest

Software Testing Weekly - Issue 251

Wednesday, December 25, 2024

GitHub Copilot is free! 🤖 View on the Web Archives ISSUE 251 December 25th 2024 COMMENT Welcome to the 251st issue! In case you missed it — GitHub Copilot is free! The free version works with Visual

Daily Coding Problem: Problem #1647 [Medium]

Tuesday, December 24, 2024

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Square. In front of you is a row of N coins, with values v 1 , v 1 , ..., v n . You are

Sentiment Analysis, Topological Sort, Web Security, and More

Tuesday, December 24, 2024

Exploring Modern Sentiment Analysis Approaches in Python #661 – DECEMBER 24, 2024 VIEW IN BROWSER The PyCoder's Weekly Logo Exploring Modern Sentiment Analysis Approaches in Python What are the

🤫 Do Not Disturb Mode Is My Secret to Sanity — 8 Gadgets I Want To See Nintendo Make

Tuesday, December 24, 2024

Also: The Best Christmas Movies to Watch on Netflix, and More! How-To Geek Logo December 24, 2024 Did You Know Their association with the Christmas season might make you think poinsettias hail from a

😱 AzureEdge.net DNS Retiring Jan. 2025, 🚀 Microsoft Phi-4 AI Outperforms, 🔒 Microsoft Secure Future Initiative

Tuesday, December 24, 2024

Blog | Advertise | View Online Your trusted source for Cloud, AI and DevOps guidance with industry expert Chris Pietschmann! Phi-4: Microsoft's New Small Language Model Outperforms Giants in AI

Mapped | The Top Health Insurance Companies by State 🏥

Tuesday, December 24, 2024

In 13 US states, a single company dominates the health insurance market, holding at least half of the total market share. View Online | Subscribe | Download Our App Presented by: Global X ETFs Power