Contact us
Request demo →
Contact us
search
close

Defend yourself against a coming wave of API cyberattacks

by Cybersprint Blog 11 Jan 2022

APIs (Application Programming Interfaces) are used by countless businesses. By defining the rules that programmers must follow to interact with a programming language or software tool, they play a key role in enabling organisations to connect with services and transfer data.

Unfortunately, although APIs may be ubiquitous, API security is not. Despite the fact that APIs are used to connect you to your bank, social network, or news outlets (whether you’re using a mobile app or a web browser), several security issues are commonly found. These include the half-hearted implementation of authentication protocols, the easy access to API keys, or the absence of authentication functionality altogether.

If APIs are to continue playing such a prominent role in the digital ecosystem, the defences protecting them need to be tightened up.

API attack methods

Although vulnerabilities are certainly present within APIs, they don’t yet appear to represent a significant proportion of the most common attack vectors. This is probably because although cybercriminals may be innovative, they like to optimise their return on investment. So, with other methods (ransomware, phishing, Man-in-the-Middle attacks, etc.) proving effective, there is little desire to explore the opportunities provided by API vulnerabilities. Not yet, anyway.

However, it is likely that cybercriminals will eventually start to make greater use of API security flaws - with potentially devastating impacts for businesses and individuals. EU regulations mandate a high level of security control from organisations – over both their own infrastructure as well as their supply chain. Based on our research, we estimate API breaches and data leaks could result in GDPR fines worth tens of millions of dollars or euros. This was based purely on the API vulnerabilities we discovered in a 20-hour window; the true financial and reputational impact is likely to be much greater.

Looking just at Swagger APIs, where the Swagger file provides a description of the entire API, such as available endpoints, operations on each endpoint, operation parameters input, and output for each operation, we found many with security failings. Assessing a total of 13,041 Swagger APIs, we discovered APIs with sensitive internal data regarding employees, clients, and invoice data that was exposed to the public. The presence of hardcoded keys, as well as broken login protocols, meant APIs were widely accessible, presenting significant data leaks.

Boosting your API security

As the awareness around API security risks grows, we expect businesses and developers to prioritise their defences in this area. Managing your API traffic, putting robust identification protocols in place, and employing anomaly detection are all approaches that organisations can take to shut down API vulnerabilities.

Attack surface management is another method businesses can use to detect and eliminate the misconfigurations and process failures that grant attackers access to APIs. Cybersprint’s Attack Surface Management platform automatically and continuously detects, monitors and correlates digital assets - including APIs - related to your brand. The platform’s AI tools automatically assess your assets to identify weaknesses, errors, vulnerabilities, or threats. What’s more, the platform’s outside-in approach eliminates any blind spots and exposes the misconfigurations missed during the development process.

Don’t wait around. Tackle any vulnerabilities lurking within your APIs now - before threat actors identify them first.  

See how our Attack Surface Management platform finds risky assets in our data sheet.

View Data Sheet API Security

Disinformation: a certainty in uncertain times

Since the beginning of the internet, we have seen a near, if not an exponential, surge of information sharing amongst users in cyberspace. Not long after, we saw how the emergence of social media ushered an access to public online platforms where other internet users worldwide could share, discuss, promote, and consume information, whether by deliberate choice or not.

read more

Threat Report: Remote vulnerability in Confluence, fixes available

On 2 June, 2022 a critical vulnerability was identified in Atlassian Confluence (CVE-2022-26134). The vulnerability in question relates to active exploitation of unauthenticated remote code execution in Confluence Data Center and Server; meaning that the vulnerability could lead to code being executed remotely.  

read more

Looking back on the 2021 vulnerability: Log4shell

In December 2021 a critical vulnerability surfaced named Log4shell within Log4j, a widely used logging tool for java applications. Log4j is used globally by computers running online services, which meant it impacted a multitude of people, organisations, and government organisations. Since then, multiple fixes have been implemented in the hope to avoid such an outbreak in the future.

read more

Do you have a question?

Our experts have the answers

Contact us