Poor API security leads to real-world consequences

Sept. 28, 2022
If a lack of human resources has your API security program on the backburner, there are many organizations you can partner with

Winston Churchill once wrote, “those that fail to learn from history are doomed to repeat it.” If 2021 is any indication, we have a lot to learn when it comes to API security, lest we continue to make the same mistakes. As we pass the midpoint of 2022, there has never been a greater need for organizations to not only understand what APIs they have, but also actively take steps to secure them.

Google predicted that API security will take on increased importance in 2022, which follows up on a similar statement from Gartner. I couldn’t agree more. A company’s exploited APIs are often the reason for breaches that expose the data of its customers and clients. While this may result in lost revenue and lack of faith in the company, to the individuals impacted, these breaches could mean a stolen identity or mounting debt.

With Great Power Comes Great API Responsibility

APIs, or application programming interfaces, are the “building blocks” of modern web applications and are used in almost every industry. APIs are a powerful tool that enables applications to both communicate and share information with one another.

While APIs empower greater engagement between companies and their customers, their success has brought about a worrying trend. In particular, it is challenging for security teams to protect APIs with how quickly they are rolled out, along with their widespread use. Ultimately, this leaves APIs, along with their interconnected systems, vulnerable to exploitation. 

When it comes to cybersecurity, especially as it relates to API security, we all often feel like we are trapped in our own version of the movie “Groundhog Day,” repeating the same day over and over again. While there are unfortunately too many examples of APIs being exploited, here are a few prominent examples that demonstrate the impact of poor API security: 

Coinbase: Discovered through a bug-bounty program, a researcher found that they could make crypto transactions without actually owning the crypto that was sold. To do this, the researcher exploited a vulnerability within the site’s Retail Brokerage API endpoint. Fortunately, this exploit was uncovered by a benevolent person, and not a threat actor intent on using it for malicious purposes. Regardless, this should exemplify the need for an understanding of API endpoints with an eye toward uncovering how they can be used against you. 

Experian: Third-party sites often used the Experian API as a means to obtain someone’s credit score. The problem, which was uncovered by researchers, is that by entering a minimal amount of information, like names and addresses, anyone could pull the credit score of someone else, without their express authorization. 

John Deere: A misconfigured API on John Deere’s software portal allowed a researcher to look up usernames for customers, without any sort of authentication, and also enabled the researcher to dig up names and addresses of equipment owners, among other data. This shows us how important it is to understand the endpoints that you have and their potential impact on your customer. 

Peloton: Similar to other exploits, it was discovered that the Peloton API would field unauthenticated requests for specific user data. That means that, theoretically, anyone could pull personal information on Peloton users, including their birthday, gender, city and workout statistics. While alone, a single piece of this data might not be devastating to an impacted individual, but any piece of information gained by a threat actor will enable them to piece together a complete picture of a target, opening that person up to other attacks down the line. 

Protect Your APIs and Avoid the Headlines 

The truth is that many organizations don’t understand the extent of their API vulnerabilities and how they can be leveraged for malicious purposes. 

Another challenge facing security teams is how to address these vulnerabilities while protecting against modern threats, many of which are happening in real-time. Security teams no longer have time on their side to uncover and fix their API vulnerabilities. APIs are now actively sought out, hunted and exploited through a mixture of bot, DDoS and multi-mode attacks. Adding insult to injury, many security teams are put in a difficult situation of protecting their attack surface with constrained financial resources while dealing with the ongoing talent shortage

Thankfully, there are solutions on the market that can help organizations better secure their APIs. But before we get there, organizations should make sure they set themselves up for success by taking a few initial steps. For instance, you can’t protect what you don’t know you have. Gaining a full understanding of your endpoints, which may require some internal reconnaissance on your end, will help you fully understand your vulnerabilities so they can be proactively mitigated.

Additionally, now that you know about the threat posed by unsecured APIs, work with your team to build API security from the start of the development phase. This will help to create a solid foundation for your organization to continue its work.

We all recognize that despite extraordinary efforts, the cyber talent gap isn’t going to be resolved anytime soon. If your API security program is on the back burner because of a lack of human resources, there are many organizations you can partner with that have API security experts on staff and provide access to around-the-clock monitoring and access to a security operations center (SOC).

The time to secure your APIs has already passed. If you are still catching up, be sure to do so now, or potentially run the risk of becoming the next company to fall victim to an exploited API vulnerability.

About the author: Gene Fay is the CEO at ThreatX. As CEO of ThreatX, Gene is responsible for the overall company direction. Gene has extensive experience building high-impact teams at early-stage startups in storage, virtualization, and cybersecurity. Prior to ThreatX, he has been an executive at technology companies, including COO at White Ops, General Manager at Resilient Systems (acquired by IBM), and VP of Worldwide Sales and Global Alliances of Network Intelligence (acquired by EMC and integrated into RSA).