In today's interconnected digital ecosystem, Application Programming Interfaces (APIs) play a pivotal role in enabling seamless communication and data exchange between various software applications and systems. APIs act as bridges, facilitating the sharing of information and functionalities. However, as the use of APIs continues to rise, they have become an increasingly attractive target for cybercriminals and a significant cybersecurity risk across various industries. This article dives into the world of APIs, exploring why they pose substantial cybersecurity challenges and providing real-world examples of API breaches across different sectors.
Download API Security Guide.
The API Revolution
The proliferation of cloud computing, mobile apps, and the Internet of Things (IoT) has accelerated the adoption of APIs. They serve as the building blocks of modern software applications, enabling developers to integrate third-party services, enhance functionalities, and create innovative solutions rapidly. From extended healthcare services to e-commerce, APIs have become an integral part of our digital lives.
Why APIs are a Cybersecurity Risk
On the API side, the top-ranked vulnerability cited by the Open Web Application Security Project (OWASP) is now BOLA, or broken object-level authorization. This flaw can allow attackers to manipulate the ID of an object in an API request, in effect letting unprivileged users read or delete another user's data. This is a particularly high-risk attack, given that it doesn't require any degree of technical skill to execute, and intrusions resemble normal traffic to most security systems.
Detection logic must differentiate between 1-to-1 connections and 1-to-many connections among resources and users. Post-event BOLA attacks are difficult to see because of their low volume, and it does not show a strong indication of any behavioral anomalies, such as injection or denial of service.
2023 reports indicate cyberattacks targeting APIs have jumped 137%, with healthcare and manufacturing seen as prime targets by attackers. Attackers are especially interested in the recent influx of new devices under the Internet of Medical Things and associated apps and API ecosystem that has supported the provision of more accessible patient care and services. Another industry that is also vulnerable is manufacturing, which has experienced an increase in IoT devices and systems, leading to a 76% increase in media attacks in 2022.
However, according to a recent State of API Security 2023 report, the following are security teams' top list of API security concerns:
- Zombie APIs - Old, deprecated APIs known as Zombie APIs appeared at the top of the list of API security concerns in many 2023 reports
- DDoS - Denial of service (DDoS) attacks to overwhelm website, server, or network
- Authentication Bypass - Account takeover/misuse
- Data Leakage - Accidental exposure of sensitive data
- Data exfiltration – Unintentional exposure of data that is deliberately stolen
- Shadow APIs - Undocumented "backdoor" APIs (e.g., unknown or shadow APIs)
The Proliferation of APIs Across Industries
The explosion of APIs across industries has been driven by their unparalleled ability to enhance connectivity, streamline operations, and enable innovation. Organizations are leveraging APIs to achieve interoperability, accelerate development cycles, and offer enhanced user experiences. From e-commerce platforms integrating payment gateways to healthcare systems sharing patient data securely, APIs enable organizations to harness the strengths of specialized services and technologies without having to reinvent the wheel.
The modularity and extensibility offered by APIs empower developers to build upon existing functionalities, rapidly create new applications, and adapt to evolving market demands. As industries continue to embrace digital transformation, APIs play a pivotal role in driving efficiency, agility, and competitiveness, fostering a dynamic ecosystem of interconnected technologies.
Here are a few examples of how major industries are using APIs and the risks associated with not securing APIs appropriately.
Healthcare institutions are increasingly harnessing the power of APIs to revolutionize patient care and enhance operational efficiency. APIs are serving as a conduit for seamless data exchange among various healthcare systems, enabling interoperability between electronic health records (EHR) platforms, medical devices, and patient portals. These APIs facilitate secure and standardized sharing of patient information, allowing healthcare professionals to access crucial data at the point of care.
Moreover, APIs are driving innovation in telemedicine and remote patient monitoring by enabling real-time communication between patients and medical practitioners through mobile apps and wearables. By leveraging APIs, healthcare institutions are not only optimizing clinical workflows and reducing administrative burdens but also improving patient engagement and outcomes. The use of APIs in healthcare is fostering a more connected and data-driven ecosystem, ultimately transforming the way healthcare services are delivered and experienced.
Some research states that the lack of security APIs may cause $12 billion to $23 billion in average annual API-related cyber loss in the US and anywhere from $41 billion to $75 billion globally.
While APIs offer significant benefits to the healthcare industry, they also introduce potential risks. Inadequate security controls in API implementations can lead to unauthorized access to sensitive patient data, exposing individuals to privacy breaches and identity theft. To mitigate these risks, healthcare institutions must prioritize robust API security measures, including encryption, strong authentication, regular vulnerability assessments, and compliance with industry regulations such as HIPAA.
Quest Diagnostics API Breach: A third-party API was the result of one of the largest data breaches experienced by a leading clinical laboratory service provider in the United States, Quest Diagnostics. Attackers exploited a vulnerability in this third-party's web payment page, which was accessible through an exposed API gaining unauthorized access to medical information of approximately 11.9 million patients.
Financial Service Institutions
Financial institutions are leveraging APIs to revolutionize their services and customer experiences. APIs have become the backbone of modern financial systems, enabling seamless integration between various banking functions, third-party applications, and digital services. With APIs, these institutions can offer customers real-time access to account information, transaction histories, and personalized financial insights. APIs also facilitate secure payment processing, enabling the integration of mobile wallets and third-party payment gateways.
Moreover, financial institutions are embracing Open Banking initiatives, allowing customers to securely share their financial data with authorized third-party applications through standardized APIs. This approach fosters innovation by enabling fintech companies to develop tailored solutions such as budgeting apps, investment platforms, and lending services. Through APIs, financial institutions are not only improving operational efficiency but also transforming the way customers interact with and manage their financial affairs, creating a more dynamic and interconnected financial landscape.
API attackers targeting financial services and insurance APIs are increasingly active, with a reported 244% increase in unique attacks in 2022. In addition, many financial institutions have experienced a significant security issue in production APIs over the past year, and nearly one out of five have suffered an API security breach.
Due to this, on October 3, 2022, the FFIEC announced a significant update to its 2018 Cybersecurity Resource Guide for Financial Institutions. Adding API Security as an important component of an organization's inventory of information systems and risk management initiatives.This is a major development toward the eventual regulatory mandates, including API security.
Latitude Financial API Breach: The Melbourne-based company, which provides personal loans and credit cards in Australia, suffered a major breach that occurred in March 2023, with more than 14 million records being compromised. Almost 8 million drivers' licenses were stolen, along with 53,000 passport numbers and dozens of monthly financial statements. The most concerning aspect of the breach is that Latitude Financial originally reported that only 300,000 people were affected, suggesting a lack of understanding of the attack.
Tech companies are at the forefront of leveraging APIs to create innovative and interconnected solutions that drive the digital economy. These companies utilize APIs for a multitude of purposes, including improving and enhancing user experiences, expanding product functionalities, and collaborating with external developers. This rapid development and integration of APIs can lead to security oversights.
Tech companies often manage numerous APIs from various sources and ensuring consistent security practices across all of them can be challenging. An oversight in one API could open the door to vulnerabilities that attackers could exploit to compromise the broader network. For example, the integration of third-party APIs can expose tech companies to risks beyond their control. If a third-party API is compromised, it can impact the security of the integrated application, as seen in the 2018 Facebook breach, where a third-party app's vulnerability exposed user data.
However, the increasing reliance on APIs poses significant cyber risks to tech companies since APIs often transmit sensitive information between systems. Any vulnerabilities in API security could be exploited to gain unauthorized access to user data or company databases, and inadequate authentication and authorization mechanisms can expose APIs to attacks like unauthorized data retrieval or manipulation.
Dropbox API Breach: On November 1, 2022, hackers were able to gain access to Dropbox's GitHub internal code repositories. This allowed hackers to access 130 internal code repositories, some containing API keys and user data. Hackers sent an email emulating CircleCI, a popular pipeline for CI/CD, for their phishing attack. Users were then taken to a counterfeit CircleCI page, where they were prompted to input their GitHub credentials. They were then sent a One-Time Password, which they were asked to input.
Fortunately, it seems no user data was accessed in the DropBox API breach. The hackers were restricted to downloading GitHub's code repositories, which is bad news for them but better news for DropBox users.
Retailers today do more than half of their business online and have embraced the use of APIs to revolutionize their operations and deliver enhanced customer buying experiences. This industry leverages APIs to seamlessly connect their online and in-store systems, integrate third-party services, and optimize various aspects of their business processes. For retail companies, APIs facilitate real-time inventory management across multiple locations, enabling customers to check product availability online before visiting a physical store. Additionally, APIs power personalized recommendations, enabling retailers to suggest products based on customer preferences and browsing history, thereby enhancing cross-selling and upselling opportunities.
In most retail sectors today, APIs play a vital role in streamlining the ordering and delivery processes. Mobile apps and websites often integrate with point-of-sale systems through APIs, enabling customers to place orders remotely and receive accurate updates on their orders' status. Third-party integrations, although enhancing functionality, introduce an additional layer of risk if APIs connecting with third-party services are exposed.
Peleton API Breach: In May 2021, a security researcher found that he could make unauthenticated requests to Peloton back-end APIs that were used by related exercise equipment and subscription services. One could call the Peloton API endpoints directly and obtain significant amounts of PII, resulting in privacy impacts for Peloton customers. Peloton web and mobile applications created as companions to Peloton exercise equipment used these back-end APIs to provide workout statistics and class scheduling. Peloton ultimately remedied the API issues, but it's unclear how many Peloton customers may have had their personal information disclosed.
APIs have transformed the way software applications interact and function, offering efficiency and innovation across industries. However, their widespread use has also introduced new and complex cybersecurity challenges. The potential for unauthorized data access, disruption of services, and compromise of entire systems makes APIs a prime target for cybercriminals. As seen from the examples above, inadequate API security controls can lead to significant breaches with far-reaching consequences.
To mitigate the risks posed by APIs, organizations must prioritize robust security measures. This includes implementing strong authentication and authorization mechanisms, regularly updating and patching APIs, encrypting sensitive data during transit and conducting thorough security assessments, such as penetration testing and code reviews. Furthermore, organizations should establish comprehensive security protocols for integrating third-party APIs and ensure ongoing monitoring to detect and respond to potential threats.
Best Practices and Mitigation
BreachLock recommends that organizations seriously consider updating their API security practices, that should include the following:
- Attack Surface Management - API discovery and inventory through Attack Surface Management scanning for both internal and external-facing attack surfaces
- API Penetration Testing Services – Regular API security assessments to identify vulnerabilities through hybrid penetration testing, using both automated and manual technologies
- Continued Automated Testing - API threat prevention through continued automated security validation to ensure security controls are effective and new vulnerabilities have not emerged
If trends continue, new API exploits will be experienced more frequently. At BreachLock, we believe API security should be a significant cyber initiative for all organizations to ensure that your security ecosystem can defend against these types of sophisticated and growing attacks.
BreachLock is a global leader in PTaaS and penetration testing service. BreachLock offers automated, AI-enabled, and human-delivered solutions in one integrated platform based on a standardized built-in framework that enables consistent and regular benchmarks of attack techniques, security controls, and processes. By creating a standardized framework, BreachLock can deliver enhanced predictability, consistency, and accurate results in real-time every time.