App Tiers Affected:
In the 2018 Application Protection Report, we mentioned the potential vulnerabilities associated with application programming interfaces (APIs). These APIs specify how various application components and clients should autonomously interact with each other to deliver the application experience. Through APIs, software services exchange commands and data. Because of this, APIs are tantalizing morsels for predators of the Internet to go after. When attackers breach an API, they often gain full administrative access to the application services within. Making matters worse, APIs are intended for code-to-code interaction, so they often get overlooked in security hardening and software testing. In the past, APIs were uncommon, but their usage is growing alongside the adoption of cloud services, software as a service (SaaS), serverless and mobile computing, and large platform integration with third-party partners.
For our 2018 Application Protection Report, we surveyed thousands of IT security professionals about which applications they deployed via API. The top answers were:
- Office suites — 50%
- Communication apps (such as email and texting) — 45%
- Document management and collaboration — 36%
These are all core, critical applications that manage the day-to-day business of organizations.
API Access Control
Since APIs by their very nature are designed to accept commands—often providing full administrative access—they should require much stronger access control than normal user logins. This means using multi-factor authentication; stringent role-based, least-privilege rights assignments; and detailed logging. In that same survey for the 2018 Application Protection Report, we also asked about API authentication. When questioned if they deployed additional authentication for their APIs, 25% of respondents said they didn’t, 37% said they did “most of the time,” and 38% said they did “some of the time.”
API Security Incidents
We reviewed recent large breaches as well as publicized security incidents associated with APIs from the past few years. It seems there have been a lot of problems, which fall primarily into two large groups of API users.
Large Platforms with Lots of Third-Party Integrations
The first group is made up of the large platform providers who, by virtue of their business models, require rich third-party integrations. Just skimming the names—GitHub, Facebook, Salesforce—reveals the scale and kind of services we’re talking about. These platforms are designed to ingest data for storage, then share and process it with third-party services and customers. Their APIs are truly the freeways into their applications where a bulk of the work flows in and out. The sheer number of systems using the APIs means that the API must manage authentication and access privileges on the scale of tens of thousands of connections and millions of operations every day. The immense stores of valuable data in these application platforms also make them very attractive targets for the entire spectrum of threat activity (crime, hacktivism, espionage, warfare). Listed below are some major API security incidents that have occurred just over the past few years:
|Affected Organization||Date||What happened|
|US Postal Service||Nov 2018||An authentication vulnerability in the API for tracking allowed anyone with an account to view any other account information.1|
|Valve||Oct 2018||Vulnerability found in marketplace API that leaked game license keys.2|
|GitHub||Oct 2018||Vulnerability in the Events API exposed confidential information on projects and logs for about a year.3|
|Sep 2018||Developer API leaked personal information of 50 million users.4|
|Salesforce||Aug 2018||API exposed customer contact details and data of sales prospects.5|
|T-Mobile||Aug 2018||Attackers accessed personal information for 2 million customers via API.6|
|Venmo||Jul 2018||Security researchers were able to download 200 million customer payment transactions via public API.7|
|WordPress||Feb 2017||A vulnerability in the REST API allowed 1.5 million websites to be hacked.8|
Very few mobile applications stand alone. Most mobile apps are specialized software clients that query a server over the network to supply data or additional processing for the mobile client. Some of these connections are obvious, like email or podcasting apps, which need remote data feeds. However, there are others such as weather apps (querying a weather service), navigation apps (querying map databases), and even games apps (querying advertising content or multiplayer servers). All these service connections are using APIs from the mobile client to a server or platform online somewhere.
Attackers will often decompile and examine the mobile client to uncover the mechanism used to authenticate and access the API. In some cases, the attacker will even acquire the developer kits and documentation associated with the mobile client or associated libraries to assist in their search for strike points. Shown below are some major mobile API security incidents that have occurred over the past few years:
|Affected Organization||Date||What happened|
|Apple iPhone||Sep 2018||iPhone mobile device management API was found to be vulnerable to brute forcing, allowing unauthorized access to confidential information.9|
|RSA Conference mobile app||Apr 2018||Mobile app contained hard-coded API credentials that allowed access to attendee database of contact information.10|
|Tinder mobile app||Jan 2018||Vulnerability in API HTTPS configuration leaked confidential information on users.11|
|Instagram app||Aug 2017||Vulnerability in API allowed an attacker to access user contact information.12|
|Tinder mobile app||Mar 2015||API vulnerable to Facebook credential spoofing attack was used for a prank on Tinder users.13|
The number one entry in the OWASP Top 10 Mobile14 security list of problems is “Improper Platform Usage”. This security vulnerability warns specifically: “Any exposed API call can serve as attack vector here” when “the exposed service or API call is implemented using insecure coding techniques...”15 The exploitability for this security issue is rated “Easy” and the technical impact is rated “Severe”. As you can see, those warnings were prescient.
What Is Going Wrong?
Looking at these security incidents, you can see patterns associated with the same, classical problems in application security that we’ve always had: attackers gaining access by brute force attacks or stolen credentials. Furthermore, once authenticated to the API, attackers exploited the overly broad assigned permissions.
Once authentication credentials are stolen, like by phishing, APIs are a great way to silently drain off accounts via bots, like what happened to Binance in March of 2018.16 No single API user should be able to access thousands or millions of customer records, without at least raising some kind of alarm.
Lastly, many of these API incidents are the result of injection attacks, which continue to be a problem in application security. Injection attacks are a side effect of weak input sanitization that allows attackers to inject commands directly against the application. These vulnerabilities are known, solved problems in application security. We know how to test for them and how to prevent them, yet they continue to occur.
The first step in defending an API is to become aware of what APIs are in place and what they can do. Since APIs are not user-facing, they can be overlooked in web application security assessments. In many cases, unless you direct the security assessor to the specific API to be tested, they will not get tested. Many APIs often run on alternate TCP ports than the main user web service (80 /443) and are therefore overlooked in the scanning process. Sometimes they’re buried deep in an esoteric URL like http:www.website.com/servicestub/hook/api that isn’t discoverable in a normal web crawl. Even applications that don’t necessarily offer external API services may still have APIs enabled by default within their infrastructure. Modern applications are like onions, made up of many independent layers of services, sometimes in different locations and technological environments. These layers communicate via Internet-accessible APIs, perhaps in ways only known by the developers. Having hidden APIs doesn’t mean attackers can’t find them; attackers are often more willing to invest time and resources to find holes.
There is a second level of understanding your APIs: knowing the permissions and what functions are allowed. Many APIs have identity access management privileges hidden within a configuration setting or even hard-coded into the application. Things get more complicated when software updates can invisibly alter these settings. An API that links a web user interface to a third-party geolocation application may be Internet-accessible and offer root privileges on the web server. Unless you check, you would never know. Furthermore, many APIs either have logging disabled or do not offer security logging features. If an attacker tried to brute force the authentication on an API, would the security team be alerted?
Lastly, all API connections make use of the HTTP protocol and serialization of data. This means the data may not be easily human-readable but it is still decodable if transmitted without encryption.
Given application complexity—not to mention the constant updates—sometimes the most prudent choice is to gate as much of the application as you can with an application-aware firewall that’s configured to allow only the connections that you expect, and to wrap them in transport encryption like TLS. In my experience, it’s often during this firewall deployment process that APIs are discovered—they become restricted by the network access controls and things malfunction. This is often when the developers pipe up with the revelation of a previously undisclosed critical API that ties the systems together. As troublesome as this makes deployments, it’s much better to find these dependent APIs before an attacker does—and you end up a headline.
The API Attack Surface Will Keep Growing
We’re just at the beginning of the hockey stick growth curve of API usage. Technologies such as serverless computing use APIs to tie together large numbers of functions, including storage, message queues, data processing, and library look-ups. This multitude of serverless connections will mean that a single application could have hundreds of Internet-exposed APIs. The growth of IoT devices, single page applications,17 and mobile applications will also increase API usage, as these are all essentially small, dependent clients calling an API over the Internet.
Regulators are also advocating for more API usage to facilitate open data exchange among businesses and organizations. The US Health Information Technology for Economic and Clinical Health (HITECH) Act encourages accessibility and exchange of Electronic Health Records via APIs.18 Hospitals, clinics, laboratories, pharmacies, and diagnostic facilities are all building large-scale API connectivity to facilitate this. In the European Union, the revised Payment Services Directive (PSD2)19 went into effect in January of this year, designed to promote greater banking interoperability. European financial services and payment vendors are leaning heavily on APIs to connect with one another.
All of these factors foreshadow a tremendous increase in API deployments across the globe. Now is the time to get started on an API security strategy and control architecture before the deluge begins in earnest.
The F5 SIRT is currently seeing active attacks specifically against APIs, including brute force attacks. To protect your organization, ensure that your web application firewalls and other security solutions are configured to detect, alarm, and block API-specific attacks.