How Automated API Attacks Are the Digital Equivalent of Mockingbirds
My Father’s Day plans involved sitting in my hammock, listening to the birds and enjoying the fruits of my labors. Then I heard a curious bird call and decided to see what species it was. The Merlin App is one of my favorite apps for bird identification, it can take ... Read More
IOCs in your APIs
When our customers engage the CQ Prime Threat Research Team for help, it is typically driven by some sort of compelling event. It may have been a potential compliance issue from an exposed API, an aggressive Account Take Over or Shopping Bot attack. In all of these cases our process ... Read More
New API Research Shows 62% Growth in ATOs Targeting Login APIs
APIs are the Developer Tool of Choice and #1 Target for Malicious Use Today, everything is an app. A Tesla isn’t really a car – it’s a four-wheeled app. Every one of the 142B+ device app downloads including your money management or a favorite shopping or fitness app are all ... Read More
A Defender’s View of Log4j in Automated Attacks
When Log4j was first exposed to the public, it was only a matter of time before exploits would be developed and fired at any unsuspecting web server with the chance of getting Remote Code Execution. But to get from “we know there is a problem” to “we know that server ... Read More
Are These 13 Scary Security Gaps in Your APIs?
Today, bad actors are increasingly exploiting API security gaps, allowing them to exfiltrate data, commit fraud or take other actions that can come back to haunt your organization. With the spooky season upon us, I wanted to cover some of the more chilling real-world API attack scenarios I’ve spotted in ... Read More
Multi-Tenant SaaS Authentication Bypass or Works-as-Designed?
Four months ago, researchers at Cequence discovered an authentication vulnerability in the Lithium community forum platform (now part of Khoros), that warranted a responsible disclosure submission. The vulnerability impacts Khoros customers using the Lithium platform to host public communities and forums, exposing their customer data to unauthenticated users. Khoros has ... Read More
Hey API! What you Token?
Technology is always evolving with some of it widely adopted, while others never get implemented. In some cases, the technology adopted for the sake of the latest and greatest is implemented incorrectly, resulting in security flaws. This latest [insecure] technology adoption trend we are seeing is data buried in API ... Read More
API Security Done Right: COVID-19 Exposure Notification System Minimizes Data Exposure
Security Professionals have a reputation for being paranoid and pointing out security or privacy flaws in just about everything. When the Privacy-Preserving Contact Tracing Project was first launched, many a security pro said, with great skepticism, “you want me to what now?” The system allowed for a way to trace ... Read More
Gmail Farming and Credential Validation
Even after 20 years in the security field, and nearly two years here at Cequence I am continually surprised at how ever-evolving bots impact our customers. It definitely keeps us on our toes as we try to understand how each attack component (Tools, Infrastructure, Credentials and Behavior) evolves. Our previous ... Read More
API Security Need to Know: Excessive Data Exposure
In today’s online world, privacy is more than concealing what you’re up to. Privacy begins with an expectation, that is maintained in an ongoing manner. When you use an application that sets a privacy expectation with words like “secure”, the maintenance falls to the provider of the application. Recently Stanford’s ... Read More
