In September 2018, Facebook discovered an API loophole leveraged by cyber criminals to expose the information of over 50 million users. This incident and many others clarified that not considering Application Programming Interface (API) security is a recipe for disaster.
APIs play a vital role in our lives, from checking flight availability on an airline website, to processing payment with third-party solutions on ecommerce stores, to navigating with GPS. Many major data breaches have occurred mainly because of API attacks exposing users’ personal data, financial information, travel itineraries, or medical records.
To ensure that APIs are safe both for the enterprise deploying them and their customers, a closer examination of the problem, as well as possible solutions is necessary.
3 Significant Factors that Contribute to API Security Issues
Although that are several factors that contribute to API security issues, three significant factors rise to the top of the list:
Poorly written documentation
API documentation is mostly known for providing instructions about how developers can adopt and integrate the API. But API documentation can also come in handy for security testing, understanding API operation, and how to make it secure for users or enterprises adopting them.
Although API documentation is essential, many API providers neglect to offer these instructions because they are challenging to create and maintain. Some providers create poorly written documentation, making it difficult to effectively track their API endpoints. Poor documentation also makes it strenuous to test a particular API for possible security vulnerabilities.
On the other hand, good documentation provides a person with the essential information about each new version of an API. Every version comes with different endpoints, and with each comes added security vulnerabilities. A security team can anticipate these vulnerabilities to provide a secure API solution to organizations adopting them.
Excessive data exposure
In an ideal world, APIs should never return more data than the client needs for a specific session. However, many API providers serve client applications with more data than they would need, relying on them to filter this data out themselves. This is called “excessive data exposure”, and it can be exploited by threat actors to get sensitive data.
Criminals analyze API responses and sniff returned packets to get sensitive data that the API provider has exposed in the first place. Since the API still has other data stored in its backend, an attacker can sniff this traffic from the API and get sensitive information like phone numbers, email, credit card information, and access tokens.
API providers shouldn’t rely on client applications to filter data. Instead, providers should take time to assert control over their sensitive data and protect it from cybercriminals. They only return necessary sensitive data to clients in API responses to reduce excessive data exposure. Doing this will shield attackers from getting access to the full data set and a full understanding of your systems and their vulnerabilities. API providers should also ensure they encrypt data in transit using SSL or TLS.
Poor authentication procedures
Many APIs don’t restrict the number of times clients or users can request resources. This leaves loopholes for threat actors to gain access by brute-forcing users’ credentials.
Not only that, but attackers can also submit a high volume of API requests to overwhelm system resources, perform credential cracking, and exfiltrate large amounts of data sets. Threat actors exploit broken or weak authentication in APIs to gain unauthorized access to users’ accounts and their data.
API providers and client applications must be able to profile what an authentication sequence looks like for every API flow. Doing so will help them detect abnormal API traffic behavior.
Conclusion
With API attacks rising by 681% in the past 12 months, it’s important to prioritize making your API program secure for organizations adopting them. While putting together an API security strategy that mitigates API security risk can be overwhelming, an API security checklist is a great place to start along with the Open Web Application Security Project (OWASP) requirements for secure development.
Author Bio: Femi Oyelola is a cybersecurity enthusiast & content marketer. He helps cybersecurity companies create content that build trust and educate their audience. He enjoys writing about topics like data privacy, internet security, and ransomware. He is a regular writer at Bora. Whenever he is not writing, he loves traveling, reading thrillers, or listening to Afrobeats.
Femi is a guest blogger. All opinions are his own.
