Attacks on vulnerable APIs are rapidly increasing, and there is no silver bullet to help shoot them down.

Pam Baker

August 28, 2019

5 Min Read
API security

Hostinger, the web hosting platform, this week confirmed a breach involving an unauthorized third party gaining access to its internal system API. But it’s only the most recent API attack in a notable string of incidents.

API threats are on the rise with no end on the horizon. Akamai’s State of the Internet report (pdf) found “83% of all web traffic in 2018 was in API traffic.” Further, according to an earlier Gartner research report, APIs will be the “most frequently attacked vector for enterprise web application data breaches” by 2022.


WWT’s Chris Konrad

“Cyberattacks and data breaches involving poorly protected application programming interfaces (APIs) are rapidly increasing, and there is not a singular plug-and-play solution to preventing such data breaches from happening,” said Chris Konrad, global director of security strategy at World Wide Technology.

An API attack can be devastating. Back in March, the LandMark White breach also sprang from an internal API attack and it led to massive repercussions. Major customers abandoned Australia’s largest independent property valuation and consultancy firm in droves, and executive heads rolled, including the CEO’s.

Another example of where API dangers lurk is found in a Facebook vulnerability.


42 Crunch’s Dmitry Sotnikov

“Facebook Marketplace was only showing the approximate location of sellers but this masking was only done by the web app. Someone invoking the API directly could get the exact location of that $5,000 sports bicycle that you put on sale without ever contacting you,” warned Dmitry Sotnikov, vice president of cloud platform at 42 Crunch.

Given that we now live in an API Economy, these threats can be anywhere.

“Tchap was a messaging app that the French government released for internal use. It was hailed as a more secure replacement for Telegram and WhatsApp. And ironically enough it indeed got hacked,” Sotnikov wrote in a newsletter to clients. “The attacker claimed that he did the hack within just one hour.”

API vulnerabilities are sometimes even intentional, or at least a pivotal element to an application’s functionality, unbeknownst to users who likely consider their information private and protected.

“Over the last several months, security researchers have demonstrated how the Venmo API will serve up millions of transactional records of users — information such as the source, destination, amount and message text are included. While this may appear to be a serious breach, it is actually the intended functionality of the Venmo platform,” explained Alex Heid, chief research officer at SecurityScorecard.

“Many users of Venmo do not realize that the platform was designed to merge the concepts of both social media and banking. As a result, Venmo settings make payments and messages between individuals public by default — and users have to change their settings to make information private. This is similar to many other social media platforms, but seems to have unintended consequences as consumers are not fully aware of all aspects of technologies before they make use of it,” Heid added.

Why APIs Are Under Attack

The important thing to remember, said Sotnikov, is “the data that the API returns is what matters.” The API is just another means to access data.

“Modern web frameworks like React and mobile applications are built around APIs to provide a better experience. It is common to deploy security products on the main consumer outlets – the website or specific applications – but attackers will always look for the path of least resistance, and in many cases, the APIs are exactly that. Remember, APIs are exposed to the entire internet and it is fairly easy to see which API calls are made by any website or mobile application,” said Amir Shaked, vice president of research and development at PerimeterX.

Despite the rising number of attacks, far too often APIs …

… reside outside of the application security infrastructure, and/or are ignored by security processes and teams.


The 20’s Sage Driskell

“APIs are one of the most powerful features in many new products, but they are often overlooked for security purposes. There are new stories all of the time about people getting hacked via an API exploit, such as the ConnectWise API vulnerability involving a plug-in this year that allowed multiple operations to be performed on a Kaseya server without authentication,” said Sage Driskell, security engineer at The 20, a group of managed service providers across North America who joined forces.

At least a patch was released soon afterward for the Connectwise API vulnerability. But the situation for the API economy overall is worsening by the moment.

“What’s more is that APIs are being added and consumed by organizations on such a rapidly recurring basis that API security is only getting more complicated, making the ability to develop viable solutions to these data breaches even more complex. With so much uncertainty across the industry, what we do know for certain is that traditional application security is no longer enough to protect organizations and their data,” said Konrad.

Read more about:


About the Author(s)

Pam Baker

A prolific writer and analyst, Pam Baker’s published work appears in many leading print and online publications including Security Boulevard, PCMag, Institutional Investor magazine, CIO, TechTarget, and InformationWeek, as well as many others. Her latest book is “Data Divination: Big Data Strategies.” She’s also a popular speaker at technology conferences as well as specialty conferences such as the Excellence in Journalism events and a medical research and healthcare event at the NY Academy of Sciences.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like