We have dedicated this blog to real-world security breaches with emphasis on attacks targeting the API layer. In this series of blog posts, we will examine the most notable security attacks along with some background on the root cause, business impact and prevention best practices.
We’ll kick off the first blog post with an overview of the API attack that targeted Google+ and that forced the tech giant to shut down its social network.
On December 10, 2018, Google revealed that Google+ had suffered another massive data breach, forcing the tech giant to shut down its social network four months earlier than its actual scheduled date.
The root cause of the problem was a critical security vulnerability in one of Google+’s People APIs that allowed developers to retrieve private information from 52.5 million users, including their name, email address, occupation, and age. The API endpoint in question is called “People: get” that was designed to let developers request basic information associated with a user profile. However, a software update in November 2018 introduced a security vulnerability in the Google+ People API that allowed third-party app developers to view users’ information even if a user profile was set to not-public. The security issue was discovered and fixed within a week of the issue being introduced – but it was too late to prevent the API vulnerability from being exploited by hackers.
APIs drive almost all kinds of applications – including web, mobile, IoT and many others. The API layer is the visible backbone of any application; it’s where all the data and requests get processed. As a result of that, the API layer exposes a very large surface area for attacks – as evident in the Google+ API attack example. Hackers are now targeting API-specific vulnerabilities, specifically around data access controls including RBAC and ABAC. In the Google+, hackers exposed user data from 52.5 million accounts.
How Could This Have Been Prevented?
FX Labs is the answer to attacks targeting the API layer because our automated platform, APISec, can instantly test every API endpoint and is granular enough to detect the Top 20 API vulnerabilities (including RBAC and ABAC). No other platform can make your APIs as safe as we can, which is why some of the largest companies use our platform.
During our latest engagement, our platform found 25 critical ABAC vulnerabilities for one of the largest financial services companies in the world. These types of vulnerabilities are impossible to find otherwise and would have allowed one user unauthorized access to the resources of other tenants.
This could have cost them not only fraud and lawsuits but also additional punishments for breaching GDPR guidelines.