Back in December of 2021, an API vulnerability impacting Twitter was disclosed. Just a few months later, in July, data from more than 5.4 million users—obtained through this vulnerability—was put up for sale, and more recently, another hacker shared the data online. Let’s take the opportunity to examine the concept of an API attack, and what can and should be done to stop them.
To begin, let’s review what an API, and an API attack, really is.
All an API really is, is a bit of code that allows the applications we all rely on to connect to the Internet in a secure and standardized way. Sending a friend a payment through a money sharing application? There’s an API involved. Adjusting a smart appliance through an app? Thanks, API!
The process works as follows:
Today, APIs are largely standardized, which generally makes them more secure—your device and the server powering the online service are only communicating the absolutely necessary information between them.
An exploit was present in one of Twitter’s APIs that ultimately allowed hackers to identify who owned Twitter accounts by submitting email addresses or mobile phone numbers to the API—and by the time the vulnerability was fixed in January of 2022, the damage was already done.
Twitter is far from the only example of an API attack, with the vast majority of businesses encountering security problems as a result of these interfaces, a sizable chunk of those suffering a data breach as a result. It is because APIs are inherently trusting of systems that try to connect to them—and so, if an attacker gets access to an API, they have an expressway right into that organization’s databases.
Once they have access to this data, an attacker can then use it as ammunition to improve their social engineering efforts.
The key to avoiding API attacks is to teach your team about them, largely by helping them to identify various scams like phishing before this kind of information is successfully exfiltrated from your business. In short, you need to make sure that they can identify phishing attacks, and that a variety of other security measures are in place, like two-factor authentication and sufficient password practices.
Reach out to OnSite I.T. at (403) 210-2927 to learn more about how we can help you protect your business’ operations.