Subscribe for expert insights to protect your APIs.
Thanks! Your subscription has been recorded.
In the last few weeks, the security community has been shaken by a series of exploits targeting MOVEit, a popular file transfer software. These incidents have exposed critical vulnerabilities, allowing threat actors to compromise sensitive data and exploit organizations ranging from the BBS to several arms of the US Government.
Explore the major findings from the 2023 Verizon Data Breach Investigations Report in our latest blog post. We delve into the rise of social engineering attacks, the human element in breaches, the most affected sectors, and the significance of web application attacks in today’s cybersecurity landscape.
The Telecom Industry: Why APIs Are Becoming their Worst Nightmare In the last six months, the Telecom industry has been hit by some massive, high-profile data breaches -- all of which happened by exploiting unprotected APIs. Gartner predicted that by 2022 APIs would...
Cybersecurity Roundup - February 2023: T-Mobile Fallout, ChatGPT abuse, and Shopify's Hardcoded API Tokens This February saw a few API vulnerabilities that should serve not only as cautionary tales, but as face-palm moments. Shopify’s hard-coded API keys mean that 4...
Cybersecurity Roundup for January 2023: T-Mobile data leak, CircleCI vulnerability, rampant API automotive exploits possible, AWS Vulnerability, and Cryptotheft by API This year began with API attacks leading the way as the top vector for data breaches. The entire...
T-Mobile's API Data Breach: The API Security Reckoning is Here We are roughly three weeks into 2023, and here we are, contending with the second major API data breach of the year. If this is any indication of how this year will progress, we have some hard questions to...
Introduction - What is API Abuse? API Abuse has recently become an important topic among security professionals, and for good reason. In the past two years, we’ve seen large scale data breaches happen as a result of APIs being abused and misused in some way. API Abuse...
2023 Cybersecurity Predictions: Insights on the Future of API Security from Traceable CSO, Richard Bird It's that time again! It's time for experts around the globe address the year we are leaving behind, assessing our success and failures as an industry, and thinking...
The Business Case for API Security: Why API Security? Why Now? We are just about to finish yet another year -- 2022. And in terms of cybersecurity and specifically, API Security, the past 12 months has been quite a challenge for many industries. As with any emerging...
Cybersecurity Roundup for the Week of 10.10.2022: Thoma Bravo Completes Yet Another Acquisition, More API Vulnerabilities, and a US Airport Cyberattack This week, Thoma Bravo, Vista Equity and Thales made headlines on their latest rounds of acquisitions. Aqua Security...
Attack on unauthenticated API endpoint at Optus, CISA’s Warning on Cyber Risk, and Another perspective on the Uber hack. This week witnessed an API endpoint attack at Optus. Optus is an Australian telecommunications company headquartered in New South Wales. It is...
In 2019, I hacked 30 bank mobile apps and APIs in coordination with domestic and international financial services and FinTech companies. In 2020-2021, I hacked 30 mobile health (mHealth) apps and FHIR APIs in coordination with healthcare providers, giving me access to thousands of patient records via their APIs due to broken authentication and authorization vulnerabilities. This year, in coordination with federal and state law enforcement agencies, I was able to take remote control of law enforcement vehicles through the automaker’s APIs.
In this article, I dig into the details about Broken Object Level Authorization (BOLA) — the most common and most severe API vulnerability today according to the OWASP API Security Project. Insecure Direct Object Reference (IDOR) and BOLA are the same thing. The name was changed from IDOR to BOLA as part of the project.
The majority of organizations rely heavily on third-party web applications connected through APIs to generate revenue and serve customers. In many cases, these web applications contain security vulnerabilities.
Better security rules increase false positives — which causes more complacency. Better tools for creating the context for more sophisticated rules and automated workflows can help.
Lacking the power of AI and machine learning, common security technologies miss API attacks by not seeing the broader business context. Here’s what happened at Shopify.
Even the largest companies in the world are susceptible to API vulnerabilities. How modern security defenses fail — and how to fix them.
Most security defenses would have missed the Uber API authorization vulnerability. Here’s why.