Back in December of 2021, an API vulnerability impacting Twitter was disclosed. Just a few months later, in July, data from more than 5.4 million users—obtained through this vulnerability—was put up for sale, and more recently, another hacker shared the data online. Let’s take the opportunity to examine the concept of an API attack, and what can and should be done to stop them.
To begin, let’s review what an API, and an API attack, really is.
An API—Application Programming Interface—Enables Communication Between Programs
All an API really is, is a bit of code that allows the applications we all rely on to connect to the Internet in a secure and standardized way. Sending a friend a payment through a money sharing application? There’s an API involved. Adjusting a smart appliance through an app? Thanks, API!
The process works as follows:
- You send a command to an application on your mobile device.
- The application connects to the Internet to share the data contained in the command.
- A server receives the data, interprets it, and carries out the appropriate actions
- Your mobile device receives the data back and presents it to you.
Today, APIs are largely standardized, which generally makes them more secure—your device and the server powering the online service are only communicating the absolutely necessary information between them.
Twitter’s API Vulnerability Removed this Separation
An exploit was present in one of Twitter’s APIs that ultimately allowed hackers to identify who owned Twitter accounts by submitting email addresses or mobile phone numbers to the API—and by the time the vulnerability was fixed in January of 2022, the damage was already done.
API Attacks are a Big Deal
Twitter is far from the only example of an API attack, with the vast majority of businesses encountering security problems as a result of these interfaces, a sizable chunk of those suffering a data breach as a result. It is because APIs are inherently trusting of systems that try to connect to them—and so, if an attacker gets access to an API, they have an expressway right into that organization’s databases.
Once they have access to this data, an attacker can then use it as ammunition to improve their social engineering efforts.
How to Avoid the Impacts of API Attacks
The key to avoiding API attacks is to teach your team about them, largely by helping them to identify various scams like phishing before this kind of information is successfully exfiltrated from your business. In short, you need to make sure that they can identify phishing attacks, and that a variety of other security measures are in place, like two-factor authentication and sufficient password practices.
We’re Here to Help You Maintain Your Security
Reach out to Data Net at (760) 466-1200 to learn more about how we can help you protect your business’ operations.
Comments