Introduction
In at this time’s interconnected digital ecosystem, Software Programming Interfaces (APIs) play a pivotal position in enabling seamless communication and knowledge alternate between varied software program purposes and programs. APIs act as bridges, facilitating the sharing of data and functionalities. Nonetheless, as the usage of APIs continues to rise, they’ve change into an more and more engaging goal for cybercriminals and a big cybersecurity danger throughout varied industries. This text dives into the world of APIs, exploring why they pose substantial cybersecurity challenges and offering real-world examples of API breaches throughout completely different sectors.
Obtain API Safety Information.
The API Revolution
The proliferation of cloud computing, cellular apps, and the Web of Issues (IoT) has accelerated the adoption of APIs. They function the constructing blocks of recent software program purposes, enabling builders to combine third-party companies, improve functionalities, and create modern options quickly. From prolonged healthcare companies to e-commerce, APIs have change into an integral a part of our digital lives.
Why APIs are a Cybersecurity Threat
On the API facet, the top-ranked vulnerability cited by the Open Internet Software Safety Undertaking (OWASP) is now BOLA, or damaged object-level authorization. This flaw can permit attackers to govern the ID of an object in an API request, in impact letting unprivileged customers learn or delete one other consumer’s knowledge. This can be a notably high-risk assault, on condition that it would not require any diploma of technical ability to execute, and intrusions resemble regular site visitors to most safety programs.
Detection logic should differentiate between 1-to-1 connections and 1-to-many connections amongst assets and customers. Publish-event BOLA assaults are tough to see due to their low quantity, and it doesn’t present a powerful indication of any behavioral anomalies, reminiscent of injection or denial of service.
2023 reviews point out cyberattacks concentrating on APIs have jumped 137%, with healthcare and manufacturing seen as prime targets by attackers. Attackers are particularly within the current inflow of latest units below the Web of Medical Issues and related apps and API ecosystem that has supported the supply of extra accessible affected person care and companies. One other business that can be weak is manufacturing, which has skilled a rise in IoT units and programs, resulting in a 76% improve in media assaults in 2022.
Nonetheless, in accordance with a current State of API Safety 2023 report, the next are safety groups’ high checklist of API safety issues:
- Zombie APIs – Outdated, deprecated APIs generally known as Zombie APIs appeared on the high of the checklist of API safety issues in lots of 2023 reviews
- DDoS – Denial of service (DDoS) assaults to overwhelm web site, server, or community
- Authentication Bypass – Account takeover/misuse
- Knowledge Leakage – Unintended publicity of delicate knowledge
- Knowledge exfiltration – Unintentional publicity of information that’s intentionally stolen
- Shadow APIs – Undocumented “backdoor” APIs (e.g., unknown or shadow APIs)
The Proliferation of APIs Throughout Industries
The explosion of APIs throughout industries has been pushed by their unparalleled skill to boost connectivity, streamline operations, and allow innovation. Organizations are leveraging APIs to realize interoperability, speed up improvement cycles, and supply enhanced consumer experiences. From e-commerce platforms integrating cost gateways to healthcare programs sharing affected person knowledge securely, APIs allow organizations to harness the strengths of specialised companies and applied sciences with out having to reinvent the wheel.
The modularity and extensibility provided by APIs empower builders to construct upon present functionalities, quickly create new purposes, and adapt to evolving market calls for. As industries proceed to embrace digital transformation, APIs play a pivotal position in driving effectivity, agility, and competitiveness, fostering a dynamic ecosystem of interconnected applied sciences.
Listed here are a number of examples of how main industries are utilizing APIs and the dangers related to not securing APIs appropriately.
Healthcare
Healthcare establishments are more and more harnessing the facility of APIs to revolutionize affected person care and improve operational effectivity. APIs are serving as a conduit for seamless knowledge alternate amongst varied healthcare programs, enabling interoperability between digital well being data (EHR) platforms, medical units, and affected person portals. These APIs facilitate safe and standardized sharing of affected person info, permitting healthcare professionals to entry essential knowledge on the level of care.
Furthermore, APIs are driving innovation in telemedicine and distant affected person monitoring by enabling real-time communication between sufferers and medical practitioners by way of cellular apps and wearables. By leveraging APIs, healthcare establishments usually are not solely optimizing scientific workflows and decreasing administrative burdens but in addition bettering affected person engagement and outcomes. The usage of APIs in healthcare is fostering a extra linked and data-driven ecosystem, finally remodeling the best way healthcare companies are delivered and skilled.
Some analysis states that the shortage of safety APIs could trigger $12 billion to $23 billion in common annual API-related cyber loss within the US and anyplace from $41 billion to $75 billion globally.
Whereas APIs supply vital advantages to the healthcare business, in addition they introduce potential dangers. Insufficient safety controls in API implementations can result in unauthorized entry to delicate affected person knowledge, exposing people to privateness breaches and identification theft. To mitigate these dangers, healthcare establishments should prioritize strong API safety measures, together with encryption, sturdy authentication, common vulnerability assessments, and compliance with business rules reminiscent of HIPAA.
Quest Diagnostics API Breach: A 3rd-party API was the results of one of many largest knowledge breaches skilled by a number one scientific laboratory service supplier in the US, Quest Diagnostics. Attackers exploited a vulnerability on this third-party’s net cost web page, which was accessible by way of an uncovered API gaining unauthorized entry to medical info of roughly 11.9 million sufferers.
Monetary Service Establishments
Monetary establishments are leveraging APIs to revolutionize their companies and buyer experiences. APIs have change into the spine of recent monetary programs, enabling seamless integration between varied banking features, third-party purposes, and digital companies. With APIs, these establishments can supply clients real-time entry to account info, transaction histories, and personalised monetary insights. APIs additionally facilitate safe cost processing, enabling the mixing of cellular wallets and third-party cost gateways.
Furthermore, monetary establishments are embracing Open Banking initiatives, permitting clients to securely share their monetary knowledge with approved third-party purposes by way of standardized APIs. This method fosters innovation by enabling fintech firms to develop tailor-made options reminiscent of budgeting apps, funding platforms, and lending companies. By APIs, monetary establishments usually are not solely bettering operational effectivity but in addition remodeling the best way clients work together with and handle their monetary affairs, making a extra dynamic and interconnected monetary panorama.
API attackers concentrating on monetary companies and insurance coverage APIs are more and more lively, with a reported 244% improve in distinctive assaults in 2022. As well as, many monetary establishments have skilled a big safety concern in manufacturing APIs over the previous 12 months, and practically one out of 5 have suffered an API safety breach.
Attributable to this, on October 3, 2022, the FFIEC introduced a big replace to its 2018 Cybersecurity Useful resource Information for Monetary Establishments. Including API Safety as an essential part of a company’s stock of data programs and danger administration initiatives.This can be a main improvement towards the eventual regulatory mandates, together with API safety.
Latitude Monetary API Breach: The Melbourne-based firm, which offers private loans and bank cards in Australia, suffered a significant breach that occurred in March 2023, with greater than 14 million data being compromised. Virtually 8 million drivers’ licenses have been stolen, together with 53,000 passport numbers and dozens of month-to-month monetary statements. Essentially the most regarding side of the breach is that Latitude Monetary initially reported that solely 300,000 folks have been affected, suggesting a lack of knowledge of the assault.
Know-how
Tech firms are on the forefront of leveraging APIs to create modern and interconnected options that drive the digital economic system. These firms make the most of APIs for a mess of functions, together with bettering and enhancing consumer experiences, increasing product functionalities, and collaborating with exterior builders. This speedy improvement and integration of APIs can result in safety oversights.
Tech firms typically handle quite a few APIs from varied sources and guaranteeing constant safety practices throughout all of them could be difficult. An oversight in a single API may open the door to vulnerabilities that attackers may exploit to compromise the broader community. For instance, the mixing of third-party APIs can expose tech firms to dangers past their management. If a third-party API is compromised, it may possibly influence the safety of the built-in software, as seen within the 2018 Fb breach, the place a third-party app’s vulnerability uncovered consumer knowledge.
Nonetheless, the rising reliance on APIs poses vital cyber dangers to tech firms since APIs typically transmit delicate info between programs. Any vulnerabilities in API safety might be exploited to realize unauthorized entry to consumer knowledge or firm databases, and insufficient authentication and authorization mechanisms can expose APIs to assaults like unauthorized knowledge retrieval or manipulation.
Dropbox API Breach: On November 1, 2022, hackers have been in a position to acquire entry to Dropbox’s GitHub inside code repositories. This allowed hackers to entry 130 inside code repositories, some containing API keys and consumer knowledge. Hackers despatched an e mail emulating CircleCI, a well-liked pipeline for CI/CD, for his or her phishing assault. Customers have been then taken to a counterfeit CircleCI web page, the place they have been prompted to enter their GitHub credentials. They have been then despatched a One-Time Password, which they have been requested to enter.
Fortuitously, it appears no consumer knowledge was accessed within the DropBox API breach. The hackers have been restricted to downloading GitHub’s code repositories, which is dangerous information for them however higher information for DropBox customers.
Retail
Retailers at this time do greater than half of their enterprise on-line and have embraced the usage of APIs to revolutionize their operations and ship enhanced buyer shopping for experiences. This business leverages APIs to seamlessly join their on-line and in-store programs, combine third-party companies, and optimize varied facets of their enterprise processes. For retail firms, APIs facilitate real-time stock administration throughout a number of areas, enabling clients to test product availability on-line earlier than visiting a bodily retailer. Moreover, APIs energy personalised suggestions, enabling retailers to recommend merchandise primarily based on buyer preferences and looking historical past, thereby enhancing cross-selling and upselling alternatives.
In most retail sectors at this time, APIs play a significant position in streamlining the ordering and supply processes. Cell apps and web sites typically combine with point-of-sale programs by way of APIs, enabling clients to position orders remotely and obtain correct updates on their orders’ standing. Third-party integrations, though enhancing performance, introduce a further layer of danger if APIs connecting with third-party companies are uncovered.
Peleton API Breach: In Could 2021, a safety researcher discovered that he may make unauthenticated requests to Peloton back-end APIs that have been utilized by associated train tools and subscription companies. One may name the Peloton API endpoints straight and acquire vital quantities of PII, leading to privateness impacts for Peloton clients. Peloton net and cellular purposes created as companions to Peloton train tools used these back-end APIs to supply exercise statistics and sophistication scheduling. Peloton finally remedied the API points, but it surely’s unclear what number of Peloton clients could have had their private info disclosed.
Conclusion
APIs have remodeled the best way software program purposes work together and performance, providing effectivity and innovation throughout industries. Nonetheless, their widespread use has additionally launched new and complicated cybersecurity challenges. The potential for unauthorized knowledge entry, disruption of companies, and compromise of total programs makes APIs a main goal for cybercriminals. As seen from the examples above, insufficient API safety controls can result in vital breaches with far-reaching penalties.
To mitigate the dangers posed by APIs, organizations should prioritize strong safety measures. This contains implementing sturdy authentication and authorization mechanisms, usually updating and patching APIs, encrypting delicate knowledge throughout transit and conducting thorough safety assessments, reminiscent of penetration testing and code critiques. Moreover, organizations ought to set up complete safety protocols for integrating third-party APIs and guarantee ongoing monitoring to detect and reply to potential threats.
Greatest Practices and Mitigation
BreachLock recommends that organizations severely take into account updating their API safety practices, that ought to embody the next:
- Assault Floor Administration – API discovery and stock by way of Assault Floor Administration scanning for each inside and external-facing assault surfaces
- API Penetration Testing Companies – Common API safety assessments to determine vulnerabilities by way of hybrid penetration testing, utilizing each automated and handbook applied sciences
- Continued Automated Testing – API risk prevention by way of continued automated safety validation to make sure safety controls are efficient and new vulnerabilities haven’t emerged
If developments proceed, new API exploits might be skilled extra regularly. At BreachLock, we imagine API safety needs to be a big cyber initiative for all organizations to make sure that your safety ecosystem can defend towards these kind of subtle and rising assaults.
About BreachLock
BreachLock is a world chief in PTaaS and penetration testing service. BreachLock affords automated, AI-enabled, and human-delivered options in a single built-in platform primarily based on a standardized built-in framework that permits constant and common benchmarks of assault strategies, safety controls, and processes. By making a standardized framework, BreachLock can ship enhanced predictability, consistency, and correct ends in real-time each time.
