API Vulnerabilities and the Increasing Need For Secure Development
IDOR Vulnerabilities Signal Concerns, Officials Explained
Overt Operator
August 15, 2023
In today's interconnected digital world, web and mobile application developers find themselves in a relentless battle against increasingly sophisticated cyber threats. One of the growing concerns for developers is the security of web application programming interfaces (APIs), a crucial bridge for cloud and mobile services that attackers are keen to exploit.
Rise of Insecure Direct Object Reference (IDOR) Vulnerabilities
Among the common API vulnerabilities, insecure direct object reference (IDOR) stands out as perilous. IDOR vulnerabilities occur when an application allows access to information or web resources using a key or identifier but fails to properly authenticate or authorize that access.
The Australian Signals Directorate's Australian Cyber Security Centre (ACSC), U.S. Cybersecurity and Infrastructure Security Agency (CISA), and U.S. National Security Agency (NSA) highlighted these vulnerabilities in a joint advisory at the end of July. They warned that IDOR vulnerabilities are difficult to prevent outside the development process and can be exploited at scale by attackers.
Ease of Exploitation
What makes these vulnerabilities alarming to security professionals is that they're frequently easy to exploit and can be attacked on a grand scale using automated tools. This exposes end-user organizations to the risk of unintentional data leaks or deliberate large-scale data breaches, wherein malicious actors obtain sensitive information.
In 2021, the API vulnerabilities in at least one widely-used monitoring application, often referred to as stalkerware, led to exposure of call records, messages, photos, and other personal history. Furthermore, the API for Peloton fitness equipment was found to have endpoints that allowed unauthenticated attackers to gather information on subscribers, including high-profile individuals.
APIs: The New Backbone of the Internet
APIs are no longer a novelty. Their deployment has become pervasive throughout the Internet, connecting everything from IoT devices to cars and other vehicles.
Jason Kent, hacker-at-large for Cequence Security, an API security firm, emphasizes in a recent article that APIs have become the foundation of the Internet.
This broad and rapid adoption means that the security of APIs must be given priority. The network of APIs, constantly transmitting telematic data, forms a backbone that holds the digital world together. Without robust security measures, the risks become grave.
The Path To Enhanced Security
The road to securing APIs begins with a keen understanding of the unique challenges they present and the crafting of customized security functions.
Relying on simple libraries or generic security functions will not suffice. Developers must invest time and resources in creating a secure development process that considers the specific use cases of APIs.
Collaboration between government agencies, cybersecurity experts, and industry leaders will be essential in forming a cohesive and comprehensive strategy to protect APIs.
A Critical Juncture in Cybersecurity
The spotlight on API vulnerabilities represents a critical juncture in the ever-evolving landscape of cybersecurity. As APIs become a fundamental part of the digital infrastructure, the onus falls on developers, security firms, and policymakers to reinforce the security measures that protect them.