Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:03 AM

Insecure API Implementations Threaten Cloud

Web and cloud services allow third-party access by exposing application programming interfaces, but many developers and customers do not adequately secure the keys to the cloud and their data, experts say

Attackers over the past three years have begun to actively target the digital keys used to secure the Internet infrastructure. Stuxnet's creators stole code-signing keys and then used them to allow the malware to more easily evade host-based security. An alleged Iranian hacker broke into a partner of registry Comodo and bought Secure Sockets Layer (SSL) keys for major domains to eavesdrop on activists. And unknown attackers stole important information on RSA's SecureID token, a device that generates one-time keys to strengthen online security.

The unique codes that applications in the cloud use to identify one another could be next, security experts say.

So-called API keys are used by Web and cloud services to identify third-party applications using the services. If service providers are not careful, an attacker with access to the key can cause a denial-of-service or rack up fees on behalf of the victim.

"It was created as a fairly nonauthoritative identifier -- it was only there to identify applications or the application's use of an API," says K. Scott Morrison, chief technology officer of Layer7 Technologies, a provider of Web security and governance products. "The problem is that developers have started using API keys for stuff that matters."

The problem is not any inherent weakness in the keys, but that developers use them for security when they ought not, he says. In many implementations, the keys are used to identify users, even though the technology was not meant as a way to authorize access to data. And after expanding the power of the keys, developers do not treat them as critical assets. Instead, companies fail to keep track of the keys, e-mailing them around and storing them on desktop hard drives.

"They shouldn't be used for anything that matters, but people do. And when they do, they don't take it as far as they need to," Morrison says. "It's kind of the worst of both worlds."

During a presentation at the RSA Security Conference earlier this year, Morrison stressed the danger in the misuse and mishandling of API keys. The warning was repeated at the recent SOURCE Boston conference by application gateway maker Vordel. An improper implementation that allows simple access to an API via use of a secret key can allow attackers to have unmitigated access if the key can be sniffed out or stolen from an authorized user's computer, said Jeremy Westerman, Vordel's director of product management, at the conference.

"There is a need to protect these cloud API keys," Westerman said. "There is a lot of awareness in the industry about protecting, say, SSL keys ... Unfortunately, protecting API keys has not reached that level of awareness."

Cloud and Web service developers must first follow best practices in opening up their APIs to third parties. In return, third-party developers need to handle the keys in a secure manner and not, for example, encode a nonobfuscated key into an application.

[Microsoft Research report shows how risky single sign-on can be without solid integration and better support from Web service providers like Google and Facebook. See Web Services Single Sign-On Contain Big Flaws.]

Communicating best practices can go a long way to fixing the issues, says Mark O'Neill, Vordel's chief technology officer.

"The SaaS [software-as-a-service] providers expect you to protect these keys, but they don't tell you how to protect the keys," O'Neill says.

Companies that have API keys should treat them as valued assets, he says. The keys should be handled in much the same way as code-signing keys and other encryption material.

API keys were first used by Google, Yahoo, and other early pioneers of Web services. However, as the model moved from standalone sites to Web 2.0 mashups and the companies exposed their services for use by other websites, the weaknesses of API keys quickly became evident. Companies began to implement different schemes for application and user authentication, including OAuth, the Security Assertion Markup Language (SAML), and hashed-based authentication codes (HMACs).

The stronger authentication methods should be used for securing sensitive data, and each token should have a reasonable expiration time. In addition, because secret keys are occasionally exchanged, communications should always be over SSL, says Gregory Brail, vice president of technology for Web technology and services firm Apigee.

"The developer needs to understand the limitations and understand the best practices around implementing API keys," he says.

Developers should still use API keys, Brail says. They should just use them for their proper function and use other tools as the situation demands.

"I'm not saying that there is nothing that can go wrong here; I'm saying that this is not a reason to throw away your API keys," Brail says. "They are an important part of your whole security system."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-03
An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.
PUBLISHED: 2020-06-03
An issue was discovered in the Linux kernel before 5.4.7. The prb_calc_retire_blk_tmo() function in net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain failure case involving TPACKET_V3, aka CID-b43d1f9f7067.
PUBLISHED: 2020-06-03
systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082.
PUBLISHED: 2020-06-03
go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel before 5.6 does not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586.
PUBLISHED: 2020-06-03
The CustomAppsRestResource list resource in Atlassian Navigator Links before version 3.3.23, from version 4.0.0 before version 4.3.7, from version 5.0.0 before 5.0.1, and from version 5.1.0 before 5.1.1 allows remote attackers to enumerate all linked applications, including those that are restricted...