The vast majority of API attacks are actually undetected and therefore not visible to most organizations. But when a poorly secured API leads to a damaging data breach, the consequences of ignoring this attack vector becomes immediately apparent.
On Friday, we saw the most recent example of this. Facebook announced that a massive data breach had been detected, affecting over 50 million accounts. They admitted that they didn't know what kind of information was stolen, nor how many other user accounts had been compromised as a result of the breach.
What we do know is that the credential theft was the result of a vulnerability introduced into the code back in July of 2017 and only recently discovered on September 25, 2018.
Mark Zuckerberg said that the attackers used Facebook developer APIs to obtain profile information such as name, gender and hometowns, but the investigation may end up revealing that much more was stolen over the course of the year the vulnerability was out in the open.
According to Guy Rosen, VP Product Management at Facebook, attackers exploited a vulnerability in Facebook’s code that impacted “View As,” a feature that lets people see what their own profile looks like to another Facebook user. Unfortunately, the vulnerability resulted in the generation of an access token that had the permissions of the Facebook mobile app, not for the viewer, but for the other Facebook user. This allowed the attacker to steal the other user’s Facebook access token, which could then be used to take over other accounts.
But this is not the first time Facebook is in the news due to the misuse of its APIs. Cambridge Analytica used a “loophole” in Facebook’s APIs to collect data from over 80 million users between 2013 and 2015.
We have recently seen a spike in breaches that resulted from vulnerabilities in API infrastructures including at T-Mobile, Verizon, Snapchat, oBike, Panera, PF Chang’s, LocationSmart and more. Attackers took over accounts, stole private information and photos and sometimes extracted credit card numbers.
Stronger protection for API infrastructures
So if APIs are used to interface everything of value these days, why don't most organizations have visibility into their actual usage? Why can’t they identify when their APIs are being abused?
These breaches point to the need for stronger protection for API infrastructures. Stronger protection starts with understanding precisely, and at all times, what’s happening with all APIs. That means having a complete audit trail of all traffic, not just to and from the APIs, but to and from the digital assets served by the APIs—the data and applications with which they interface.
Stronger protection is also about being able to detect abnormal activity on an API. That may include someone using a stolen token or cookie to take over an account, someone launching a brute force attack on an API to get behind the security wall or someone extracting a massive amount of data via an API—like in the Cambridge Analytica situation. Note that rule-based systems don’t do much against these types of attacks, nor will code scanning be helpful to identify the sorts of vulnerabilities that permitted these abuses.
Finally, stronger protection is about implementing token binding to defend against compromised token attacks by cryptographically securing tokens with secrets held by the client. This multivendor, IETF-proposed standard makes it much more difficult to steal and utilize access tokens to access another user’s account.
Addressing the big data problem of API security
API security is a hard problem. It is a big data problem! Consider the massive amount of simultaneous connections, all coming in at different velocities from different mobile devices or laptops, using different browsers and applications and accessing a variety of APIs, data and applications. You begin to realize that identifying one bad actor who is working on stealing data is like looking for a needle in a haystack.
This is the reason PingIntelligence for APIs uses artificial intelligence to protect API infrastructures from cyberattacks and misuse:
It can detect and block cyberattacks that target APIs to compromise data and systems.
It delivers deep visibility into how each API is accessed and used.
It requires no predefined policies, rules or attack signatures and can stop attacks that are new and changing.
Its API activity reporting simplifies forensic analysis and facilitates meeting compliance requirements.
It overlays existing API infrastructures to protect API Gateways and APIs implemented directly on application servers.
It provides comprehensive threat protection across a range of attacks: from hackers without credentials probing for vulnerabilities to attacks on data and line of business applications—including account take over, data theft or destruction, complete host takeover and more.
The lack of visibility and attack detection is the reason we’re seeing more and more headlines involving breaches via APIs.
And this is just the start. For most organizations, there is not much protection between a hacker and an API—and most API abuses and attacks go undetected for a very long time, if discovered at all!