Top 5 Biggest API Security Attacks in 2021
As more than 80% of internet traffic goes through APIs, it’s no surprise that hackers often try to find ways to exploit the security implications of APIs.
2021 was the year of terrible breaches and data leaks on the internet as it witnessed different types of API abuse including reverse engineering, insecure database, session hijacking, etc
Let’s look at the top 5 API Security the 2021 data breaches and leaks that exposed the personal information of millions of people online.
What happened with Linkedin?
LinkedIn, owned by Microsoft, has always been an invaluable target for cybercriminals. A threat actor, called “God User”, in June 2021, did the impossible by scraping data through LinkedIn APIs and releasing the information of 700 million LinkedIn users (more than 90% of total LinkedIn profiles) for sale on a Dark Web Forum called RaidForums.
Image source: inputmag
Impact: The leaked personal information fiasco was witnessed as a sample of one million usernames and profile URLs, phone numbers, gender, wages deducted, email addresses , social media account information, etc.
How did it happen?
The hacker explained that he had access to the data by querying LinkedIn’s servers. Users uploaded information viewed on LinkedIn. However, the LinkedIn APIs are not intended to serve as a login mechanism and cannot be used as such. This means they cannot be
used without prior authentication, which makes the attack post-login in nature.
Tips to avoid: Risk-based protection for applications and APIs is essential to identify endpoints, their risk posture and their weaknesses.
The WAAP (Web Application & API Protection) platform like AppTrana uses signature recognition, security-centric monitoring, and encryption as standard (TLS), along with other security methodologies to block attempted attacks. API abuse.
In January 2021, a highly targeted cyber attack on specific machines was discovered across Asia on NoxPlayer, the most popular Android game emulator, with over 150 million users, for Windows and MacOS.
Image source: welivesecurity
Impact: Five NoxPlayer users in Taiwan, Hong Kong and Sri Lanka, who downloaded the update posing as a media player called NoxPlayer, were infected with malware.
Cause: Hackers gained access to official NoxPlayer API (api.bignox.com) and file hosting server exploits (res06.bignox.com), then it became easy for perpetrators to change URL downloading software update to send malware to android. emulator casualties in the Asian region.
Tips to avoid: Make your web application more secure and avoid cyber hackers, malicious code and unauthorized access by scanning your website/application at scale.
3: Bykea Data Breach
Bykea, the Pakistani on-demand vehicle rental and delivery app, has suffered a security breach of highly sensitive data related to its customers and drivers, personal identification information (PII), login credentials of internal employees and production server information and potentially lost its API logs.
Impact: Over 400 million records comprising over 200 gigabytes of data have been exposed for weeks. The database server contained comprehensive travel information freely available to all. This also included where customers were picked up, dropped off and when drivers arrived during their journeys.
Image Source: Security Detectives
Using work email addresses to publicly correspond with users could be potential inflection points that could serve as a gateway to an exploit by hackers who can use user data in any form and disguise to take advantage of it.
Cause: The elastic server instance exposed was without password protection or encryption.
Tips to Avoid: The server must be encrypted, at rest and during transmission. Seeing the massive increase in cyberattacks, leaving an Internet-facing database server open without basic encryption or authentication hygiene is like sending an open invitation to hackers.
Adopt security solutions that not only cover vulnerability assessments, security audits, and penetration testing, but also manage security across your entire system.
4: The theft of money from the Central Bank of Russia
What happened with the Central Bank of Russia API Security Violation?
According to bank officials, criminals could attack the bank’s operations by interfering with its electronic interbank money transfer system. Threat actors could transfer funds from customer accounts through the Rapid Payments System (FPS).
Impact: The “money transfer” attack was apparently used to steal money from individuals, but no companies were victimized.
How did it happen? A glorified case of broken object-level authorization, attackers exploited enums, through an API endpoint, to find a list of user accounts in the bank.
The hackers replaced the “Account ID” parameter with any random account number. The theft of money was allowed to continue, giving an unverified appearance as if this account was the source of the funds transfer request rather than the actual originating account.
Tips to avoid: Restriction and full control over URL parameters must be synchronized with unique tokens. By protecting your cloud infrastructure from modern cyberattacks, you are able to effectively prevent applications from being compromised.
5: Talking API Violation
An API security flaw allowed a white hat hacker, donk_enby, to exploit a vulnerability in the social media app Parler. As a result, she was able to download archived public postings of user data (including registration IDs, emails, and timestamps for login activity) shortly before Amazon Web Services, Google, and Apple does not terminate the Parler account and erase it from the Internet.
Image source: saltsecurity
Impact: 70 terabytes of data was stolen from the Parler social network by cybercriminals harvesting information through insecure APIs. Deleted and private posts, videos, images, driver’s licenses, geolocation, type of cell phones and IDs, etc. were part of the “archived” data.
How did it happen? A typical case of reverse engineering Parler’s iOS API; the hacker used the Ghidra software to explore and analyze Parler’s code to find public information. Interestingly, the social media app used sequential numbering for post URLs, known as insecure direct object reference, which was easy for the hacker to pick up to figure out the guessable pattern. with API access to all post URLs without any authentication.
For example, https://yourapp(dot)folder/v1/photo?id= . Add 1 and you will get the post URL sequence.
In Parler’s case, one could guess the chronological order of the social media post URL (which is an ideal world, should be hidden and inaccessible) simply by adding an incrementing value of one.
Tips to Avoid: In an ideal world, URLs should be hidden and inaccessible, with limitations on public API calls. AppTrana, with its innovative positive security model and behavior-based DDoS policies, mitigates these attacks.
The year 2022 thrives on the notion of effective security awareness, strengthening API security best practices paves the way for winning cybersecurity systems.
And Industrial WAF will spare no effort to ensure the security of your business on the Web.