There is a sight gag that has been used in a number of movies and TV comedies that involves an apartment building lobby. It shows how people who don’t live there, but who want to get in anyway, such as Girl Guides looking to sell cookies to the tenants – simply run their fingers down every call button on the tenant directory, like a pianist performing a glissando, knowing that at least one of the dozens of apartments being buzzed will let them in simply out of reflex or laziness.

This is a fitting example of broken authentication in the analogue world: an automated system designed to keep non-residents out and to allow them in only by granting individual manual permission that is easily overrun and exploited, without any need for sophisticated tools.

Broken authentication is a term that is used in the world of infosec to describe similar types of outcomes. Organizations of all types that have internet-facing media such as websites and APIs use some form of authentication to prevent the wrong people from “buzzing themselves in,” but these too, are woefully not up to the task.

Attacks that exploit APIs

One of the most common points of weakness is the API attack, in which bad actors force their way in through a variety of techniques, all of which essentially abuse the construction of the APIs own interface, after which they can deposit malware, steal data, or perform other types of crime and sabotage.

One of these techniques is credential stuffing, which involves using stolen usernames and passwords – obtained through data breaches, for example – to fool the API into recognizing a valid ID. This, by the way, is one of many reasons why everyone should change their passwords regularly.

A related technique involves brute (Read more...)