Biggest API Security Attacks of 2021 … So Far
Threat actors are continuing to expose gaps in API security. The desire to innovate digital services and connect them with other services opens up a broad attack surface for malicious threat actors to work with. In a world where development speed, innovation and iteration often trump security concerns, APIs provide adversaries with low-hanging fruit to infiltrate services and steal sensitive data. And there have been a lot of API attacks in 2021 thus far. Here are four of the biggest.
Parler API Hack
Parler is a social networking platform that came to prominence under the Trump administration in the U.S. In 2021, security researchers exposed major security flaws in Parler’s API that enabled them to easily scrape over 60 terabytes of data on the site’s 10 million users.
The hack could best be described as an act of hacktivism—it involved security teams conducting a coordinated attack on a system for social or political reasons. In this instance, the motivation appeared to be a desire to expose the type of content users published on the Parler platform in the run-up to the U.S. capitol siege.
Whatever the motivation, the method was surprisingly simple. Security researchers exploited an unprotected API call that had no limits placed on it. In practice, this meant that the researchers could download all the user data they wanted without any way for Parler to flag what was happening. The other piece of the puzzle was that Parler sequentially ordered post URLs, which made it easy to download millions of posts at scale.
Clubhouse Leak
Clubhouse is a social networking platform based on audio rather than text communication. These audio chatrooms can facilitate thousands of people simultaneously conversing with each other. The Clubhouse app is relatively new—its initial release came in April 2020.
Just 12 months after Clubhouse launched, it boasted a user base of over 10 million per week. And then, the platform became the victim of a data leak. A popular hacker forum published a database of over 1.3 million user records containing information such as names, account creation dates and photo URLs.
The particular security flaw, in this case, is that anyone can use the API to query all publicly available Clubhouse user profile information. Interestingly, Clubhouse staunchly defended itself on Twitter against claims of poor security practices. According to a company Tweet, “the data referred to is all public profile information from our app, which anyone can access via the app or our API.” The platform’s security policy forbids the unauthorized scraping of data, however, the lack of anti-scraping measures represents an API security flaw. Technical controls should enforce these policy rules.
LinkedIn Breach
In another major security story from 2021, hackers breached data belonging to over 700 million LinkedIn users and offered that data for sale on the dark web. LinkedIn is the world’s largest professional social networking platform, and the 700 million exposed users represent over 90% of the site’s user base.
Stolen data from this breach included names, phone numbers and physical addresses. Such information can become incredibly valuable in the hands of adversaries carrying out phishing, smishing and other social engineering campaigns.
The hackers behind this attack were able to download the data using LinkedIn’s API. The technical API flaws that facilitated the LinkedIn attack remain unclear. However, what is clear is that the platform did not pay enough attention to API security practices, which resulted in threat actors being able to make an unlimited number of data requests without being flagged or stopped.
According to Salt Security’s API Security Checklist, it’s critical to “security test your APIs, but know that you will also need runtime protection to catch changes that don’t go through standard build process and abuses that testing tools aren’t designed to find”. You can’t find basic flaws unless you security test your APIs. This security testing should be built into DevOps cycles.
NoxPlayer
NoxPlayer is an Android emulator for PC and Mac devices. Early in 2021, news emerged that security researchers uncovered an API hack that pushed malware to a small number of NoxPlayer users. The unidentified threat actors compromised the company’s official API using a sophisticated technique that exploited insufficient API response validation.
Hackers managed to push three different malware families to users under the guise of software updates. Security researchers believe these malware strains had surveillance-related capabilities. NoxPlayer owner BigNox has since fixed the API security flaws that made this attack possible.
What’s Next?
For as long as security remains an afterthought in the development life cycle, hackers will continue to successfully exploit API security flaws. Organizations need to act fast with dedicated security strategies for APIs. It’s entirely too common for organizations to prioritize innovation and delivery speed in today’s fast-moving digital landscape. While that might deliver a short-term competitive edge, in the long term it’s almost a guarantee that attackers will exploit organizations’ lack of security.
APIs continue to open up more points of communication between apps and services but simultaneously offer more opportunities for hackers to exploit flaws. API security needs to become a priority if you want to protect your most sensitive information assets.
