Team Traceable
Introduction – What is API Abuse?
API Abuse has recently become an important topic among security professionals, and for good reason. In the past two years, we’ve seen large scale data breaches happen as a result of APIs being abused and misused in some way.
API Abuse occurs when a malicious party uses an API in a way that was not intended by its original design, such as making excessive requests to a server in order to cause a denial of service attack, or using an API to access sensitive information without proper authorization.
API abuse can take many forms, and the specific type of abuse will depend on the functionality of the API and the nature of the attack.
Some common forms of API abuse include:
- Scraping: using automated scripts to extract large amounts of data from an API, which can slow down or crash the server.
- Spamming: using an API to send large numbers of spam messages or requests, which can also slow down or crash the server.
- Injection attacks: injecting malicious code into an API request in order to execute arbitrary commands on the server.
- Stealing data: Using the API to access sensitive information like personal user data or financial information.
Recent Data Breaches via API Abuse
The Optus Breach
The Australian wireless service provider, Optus, recently suffered a data breach, where the attacker used an unauthenticated API endpoint to gain access to customers’ sensitive data.
This was the first time a major telecommunications company in Australia suffered from such a large and public breach, bringing a huge spotlight to the problem of APIs for the country, and for the world at large.
With more information being released about the Optus breach, it is becoming clear that companies need to take API security seriously, as the financial costs and damage to reputation consequences are exponentially greater than funding security programs that operate transparently to keep customers and their data secure and private.
Venmo and Coinbase
One of the biggest reasons that APIs are difficult to protect is because API malicious traffic looks normal to security tools like a web application firewall (WAF).
In the cases of Venmo and Coinbase, those particular API attacks are perfect examples of this phenomenon. For Venmo, one of their public endpoint unsecured APIs allowed a student to scrape 200 million users’ financial transactions. This looked like normal traffic to their security solution. At Coinbase, an improper API validation allowed an attacker to make unlimited cryptocurrency trades between different currency accounts.
Again, this looked like perfectly normal traffic to their security solutions.
Twitter’s API Vulnerability
VentureBeat reported more information about Twitter’s API security issues, adding that the vulnerability turned out to be a goldmine for sensitive data, including PII, also making the connection between APIs and social engineering campaigns.
According to VentureBeat:
“Insecure APIs provide cybercriminals with a direct line to access user’s personally identifiable information (PII), usernames and passwords, which are captured when a client makes a connection to a third-party service’s API. Thus, API attacks provide attackers with a window to harvest personal data for scams en masse.
It continues…
“Information collected during the incident included data such as usernames, email addresses, Social Security numbers and dates of birth — all highly valuable information for developing social engineering scams and spear phishing attacks.
Unfortunately, it appears that this trend of API exploitation will only get worse, with Gartner predicting that this year, API abuse will become the most frequent attack vector.”
What Are Some of the Worst Forms of API Abuse?
Some of the worst forms of API abuse include:
- Data Breaches: Data breaches happen via API abuse when a malicious user is abusing an API to gain unauthorized access to sensitive data such as personal user information or financial information. This can lead to identity theft, financial fraud, and other serious consequences for both individuals and organizations.
- Ransomware Attacks: This hasn’t been discussed very often, but it happens. This is when an API is used to inject malware into a server or network, which can then encrypt or otherwise lock up important data, making it inaccessible to anyone within the organization. The attacker may then demand a ransom in exchange for the decryption key or a promise to not release the stolen data to the dark web.
- DDoS Attacks: DDoS attacks have been around for many years – decades, even. But in more recent years, APIs have been identified as a way of launching a Distributed Denial of Service (DDoS) attack against a server or network, in order to make it unavailable to legitimate users. This can disrupt critical services, causing operational downtime, financial losses and reputational damage.
- Account Takeover: Account takeover is predominantly discussed among email security vendors, however APIs have become one of the top methods of this attack type. This involves using an API to gain unauthorized access to user accounts, allowing attackers to make unauthorized transactions, purchases, change login credentials and personal information causing serious damage to the organization’s reputation and an individual’s accounts.
- Supply Chain Attacks: An attacker might use the API of a software component supplier (like a library) that is included by another software in order to gain access to the vulnerable component’s user base.
API providers will use certain API security measures to avoid this type of abuse, such as a Web Application Firewall (WAF), but WAFs can often be bypassed.
Why Can’t a WAF Help Prevent API Abuse and Fraud?
WAFs are often used in conjunction with other security measures, such as firewalls and antivirus software, to provide a comprehensive security solution for web applications.
While a WAF can provide some security benefits, it is not designed to protect against the full range of security threats that APIs face.
For example, a WAF may not provide the ability to authenticate users or systems that are accessing an API, or to control access to an API based on the identity of the user or system. Additionally, a WAF is typically not designed to protect against advanced threats such as man-in-the-middle attacks or injection of malicious payloads.
Web Application Firewalls simply have too many architectural limitations that stop them from protecting against API attacks. API threats, specifically API abuse, attacks the unique business logic of APIs, and therefore, cannot be identified by signatures, even if you customize a WAF’s configurations.
The Bottom Line
What we’ve observed, here at Traceable, is that the vast majority of organizations do not know or understand just how much sensitive data is being transmitted through their APIs, and are in desperate need of a solution that can detect and stop API Abuse events that lead to the exfiltration of data, among other negative consequences.
We encourage you to thoroughly investigate your security stack, and make sure your organization won’t be the next major API breach.
About Traceable
Traceable is the industry’s leading API security platform that identifies APIs, evaluates API risk posture, stops API attacks, and provides deep analytics for threat hunting and forensic research. With visual depictions of API paths at the core of its technology, its platform applies the power of distributed tracing and machine learning models for API security across the entire development lifecycle. Visual depictions provide insight into user and API behaviors to understand anomalies and block API attacks, enabling organizations to be more secure and resilient. Learn more at traceable.ai.
