Risk
1/16/2013
11:05 PM
50%
50%

Vulnerable APIs Continue To Pose Threat To Cloud

From banks to Instagram, weaknesses in online APIs have caused problems in the last year, with security experts warning that poorly implemented or designed Web APIs could put company data at risk

Cloud services allow third-party access to the application and data through so-called Web application programming interfaces, or APIs. Yet many application developers are failing to properly secure such access, putting the application and underlying data at risk, say security experts.

In October, researchers from the University of Texas at Austin and Stanford University surveyed a variety of high-profile Web services and found that the interfaces exposed to third-party developers contained significant vulnerabilities. Payment services at Amazon and PayPal, the Trillian instant messaging service, the Chase mobile banking service, and other Web applications all have flaws in their implementation of the secure sockets layer (SSL) protocol that weaken their security when accessed through the APIs meant for nonbrowser applications, the researchers found.

The result are applications that can be fooled into allowing some access to a customer's data through the API, according to the paper presented at the 19th ACM Conference on Computer and Communications Security.

"The root cause of most of these vulnerabilities is the terrible design of the APIs to the underlying SSL libraries," the researchers state in the paper.

While the paper was the most comprehensive look into API failings, other incidents drew attention in 2012 as well. In November, security researcher Carlos Reventlov found a vulnerability in the Instagram picture-sharing service that would allow a man-in-the-middle attacker to access or delete a person's photos. In April, Microsoft Research published findings of troubling flaws in the logic used for single sign-on services at Facebook, Google ID, and PayPal.

The solution to the problem is not new technology but an attention to detail, says Christopher Barber, a threat analyst with Solutionary's Security Engineering Research Team (SERT).

"The implementation is not really on the level that we need it to be -- it's very spotty," Barber says. "In software development, you have a deadline for certain functionality, and security always takes a backseat."

[Microsoft Research report shows how risky single sign-on can be without solid integration and better support from Web service providers like Google and Facebook. See Web Services Single Sign-On Contain Big Flaws.]

The pressures to complete a Web application and the complexity of implementing SSL combine to make creating secure APIs particularly challenging. The researchers from UT Austin and Stanford recommend that developers make their APIs and SLL libraries more explicit about how to use them properly. In addition, cloud services should regularly do black-box testing, or fuzzing, against their code to see how the application behaves when an adversary is actively testing it.

By their nature, APIs open the Web application to a much greater risk of attack, says K. Scott Morrison, chief technology officer for Layer 7, a company that helps customers manage their APIs.

"To an attacker, an API can be a very instructive tool in telling how your application is working," he says. "It is very self-describing and gives a road map to the application."

Finally, in addition to getting the encryption right and auditing the application, developers have to worry about identity, who is accessing the API, and what sorts of data will they be allowed to access, he adds. Making the issue more complex, most of the time an application, not a specific person, is accessing the data.

In the end, the hacker-like attitude of many Web developers is not the approach that cloud service providers or their customers should take in dealing with APIs.

"We do a lot of reuse, and some of our bad habits are percolating into the API world," Morrison adds. "Unfortunately, while they are bad in the Web world, they are positively dangerous in the API world."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8893
Published: 2015-01-28
Multiple cross-site scripting (XSS) vulnerabilities in (1) mainpage.jsp and (2) GetImageServlet.img in IBM TRIRIGA Application Platform 3.2.1.x, 3.3.2 before 3.3.2.3, and 3.4.1 before 3.4.1.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-8894
Published: 2015-01-28
Open redirect vulnerability in IBM TRIRIGA Application Platform 3.2.1.x, 3.3.2 before 3.3.2.3, and 3.4.1 before 3.4.1.1 allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via the out parameter.

CVE-2014-8895
Published: 2015-01-28
IBM TRIRIGA Application Platform 3.2.1.x, 3.3.2 before 3.3.2.3, and 3.4.1 before 3.4.1.1 allows remote attackers to bypass intended access restrictions and read the image files of arbitrary users via a crafted URL.

CVE-2014-8917
Published: 2015-01-28
Multiple cross-site scripting (XSS) vulnerabilities in (1) dojox/form/resources/uploader.swf (aka upload.swf), (2) dojox/form/resources/fileuploader.swf (aka fileupload.swf), (3) dojox/av/resources/audio.swf, and (4) dojox/av/resources/video.swf in the IBM Dojo Toolkit, as used in IBM Social Media A...

CVE-2014-8920
Published: 2015-01-28
Buffer overflow in the Data Transfer Program in IBM i Access 5770-XE1 5R4, 6.1, and 7.1 on Windows allows local users to gain privileges via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If youíre a security professional, youíve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.