Almost every business today will use APIs in some form. “APIs are at the core of today’s digital innovation initiatives and have become the number one attack vector for applications.”
This article will explore two infamous API security breaches and how security teams could have prevented them from understanding better why APIs present such a security risk.
In September 2022, Optus, an Australian Telecommunications company, suffered a breach exposing the sensitive information of 9.7 million people – over a third of Australia’s population. While Optus claims the breach resulted from a sophisticated cyberattack, a source from inside the company and the Australian government claim the actual cause was an API vulnerability brought about by human error.
The generally accepted chain of events is as follows:
- The hacker discovered the publicly exposed API that didn’t require authentication.
- Since the API granted access to sensitive customer data, the hacker could retrieve customer records without proper authorization.
- Incrementing customer identifiers made automating the data exfiltration process easier for the hacker. The hacker wrote a script that requested customer records by incrementing the identifier, leading to efficient data extraction.
- The hacker exploited this vulnerability for a period of approximately three months.
- Due to the ease of exploiting the vulnerabilities and the efficiency of the data exfiltration process, the breach became one of the largest in Australian history.
The Optus breach made headlines because of its scale and because the organization could have easily prevented it. Other organizations must learn from Optus’ mistake, ensuring that APIs are not publicly exposed and implementing proper authentication mechanisms, such as API keys, OAuth, or JWT tokens. To prevent a breach similar to Optus, organizations should follow the principle of least privilege, where APIs only grant access to the data and functionality that a user or application requires.
On July 15, 2020, attackers compromised several high-profile Twitter accounts, including those of Barack Obama, Joe Biden, Elon Musk, Bill Gates, and others. The attackers posted tweets promoting a cryptocurrency scam, asking followers to send Bitcoin to a specified wallet address, promising to double the amount in return.
The attackers exploited a vulnerability in Twitter’s internal systems to gain unauthorized access to these accounts. They used this access to tweet fraudulent messages and attract users to the cryptocurrency scam.
The attackers used a combination of social engineering and technical exploitation to breach Twitter’s security:
- Social Engineering: The attackers initiated a social engineering attack on Twitter employees by posing as internal IT staff. Through manipulation and deception, they convinced these employees to provide them with access to Twitter’s internal systems.
- Account Takeover: Once inside Twitter’s systems, the attackers targeted employees with administrative privileges, granting them access to user accounts, known as a “VIP account compromise.”
- Impersonation and Fraudulent Tweets: With control over these accounts, the attackers posted tweets promoting the cryptocurrency scam. The tweets asked users to send Bitcoin to a specific wallet address.
The fraudulent tweets were widely circulated and attracted attention due to the high-profile nature of the compromised accounts. The attack highlighted the potential risks associated with hackers compromising verified accounts on social media platforms.
Also read: 5 Ways to Prevent Retail Cyber Threats
Twitter responded swiftly, removing the fraudulent tweets and locking down the affected accounts. The company also temporarily restricted posting privileges for all verified accounts while investigating the incident.
The Twitter API data breach underscored the importance of cybersecurity measures for social media platforms and highlighted the potential impact of a high-profile account compromise. Some key takeaways include:
- Social Engineering Awareness: Organizations must train employees to recognize and respond to social engineering tactics to prevent unauthorized access.
- Access Control: Maintaining strict access controls and reducing the number of employees with elevated privileges can limit the impact of a potential breach.
- Incident Response: A robust incident response plan is crucial to minimize damage and swiftly address security incidents.
- Multi-Factor Authentication (MFA): Enforcing MFA for administrative access can add an extra layer of security and prevent unauthorized account takeovers.
- Regular Security Audits: Regularly auditing and assessing internal systems and processes can help identify vulnerabilities and weaknesses.
- User Education: Educating users about potential scams and fraudulent activities can help reduce the success rate of such attacks.
- API Security: Ensuring the security of APIs that control user account functionality is critical to preventing unauthorized access and manipulation.
Optus’ breach, attributed to human error and inadequate authentication, highlights the necessity of securing APIs against unauthorized access. Twitter’s breach, fueled by social engineering and technical exploitation, underscores the importance of multi-layered security measures. These incidents highlight the need for stringent API security practices, including robust authentication, vigilant access controls, and comprehensive user education. As organizations navigate the API-driven era, these lessons serve as a crucial foundation for mitigating risks and safeguarding sensitive data.