Top 6 API security threats
The use of APIs might make your app vulnerable to attacks. Learn more about what to watch out for in this article.
Researchers are sounding the alarm on threats to app security from insecure APIs. Here are the top 6 threats facing businesses today.
According to research and advisory firm Forrester, security models for APIs haven’t kept pace with the requirements of a non-perimeter world. Moreover, APIs are an elusive moving target because they are vulnerable to a broader, more complex series of threats. With growth in the API ecosystem continuing at a rapid pace, API abuses and misuses resulting in data exfiltration by attackers is, unfortunately, becoming one of the most common attack vectors today.
The main types of API security threats are:
- Man-in-the-middle attacks
- Injection attacks
- App impersonations
- Credential stuffing
- Denial of service attacks
- Automated bots and data scraping
Man-in-the-middle (MITM) attacks
Man-in-the-middle attacks occur when mobile API traffic is intercepted by a malicious third party (the man in the middle), to covertly observe sensitive data such as personally identifiable information (PII), alter the content of API communications between the app and the server, or extract credentials like passwords and credit card information transmitted within API requests. Targets are typically, but not limited to, users of finance and payment apps. SaaS businesses, e-commerce sites, and other websites where login is required, are also highly vulnerable to man-in-the-middle attacks.
Injection attacks are a growing threat to APIs, and can occur on apps running on poorly developed code. The attacker injects malicious code into software, like SQL injection and cross-site scripting, to gain access to your software.
Overall, injections account for a significant percentage of vulnerabilities found in APIs, and can result in data loss, corruption, information disclosure to unauthorised parties, or denial of access. Injection attacks can also sometimes lead to a complete host takeover.
Fake mobile apps impersonate trusted brands, and compromise mobile devices with malware designed to monitor your activity and steal confidential data. By replicating the appearance and functionality of legitimate apps, they trick unsuspecting users into installing and interacting with malicious content. Another type of threat involves an attacker reverse engineering your API protocol, gaining access to your API keys, and building new software that impersonates the real app to make arbitrary API calls.
Impersonation attacks are on the rise. According to the FBI’s Internet Crime Report, they have caused more than $5 billion of losses over the past five years. Worryingly, data also shows that impersonation scams affecting banks have increased 84% in the United Kingdom alone during the COVID-19 pandemic.
Credential stuffing is a threat to businesses worldwide, not least due to the shift to remote working. The COVID-19 pandemic has accelerated the remote workforce trend, and left many businesses unprepared to defend a distributed network. A credential stuffing attack begins when a malicious actor uses a phishing campaign, or another information leak, to steal user credentials. The attacker then uses automated tools to test credentials across multiple services or mobile apps.
Research shows that attackers increasingly use APIs to automate credential stuffing attacks. The financial sector is particularly vulnerable. According to a report from security company Akamai, 20% of their credential abuse attacks target hostnames that are identified as API endpoints.
Denial of service (DoS and DDoS) attacks
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are also on the rise, with researchers warning that cybercriminals are getting increasingly creative in making campaigns more disruptive. The number of incidents reported is also at a record high level.
Denial of service is a type of cyberattack designed to disrupt, or even shut down, an app by flooding the target with traffic. Typically, an attack occurs when a large number of requests are sent to the API at once. Rate limiting can help stop certain kinds of malicious bot activity, and put a cap on the number of API calls, but is not a complete solution for protecting your APIs.
Automated bots and data scraping
Finally, data scraping attacks seem to target a broader range of industries. Data scraping is an automated bot threat where cybercriminals collect data, including login credentials, payment details and personally identifiable information (PII), for malicious purposes. These attacks are planned in various stages to evade the vulnerabilities of existing security systems, such as web application firewalls (WAFs) and API gateways. While the share of bot traffic to online sites continues to decline, businesses are seeing an overall increase in automated scraping of data, login attempts, and other detrimental activity.
In short, APIs are vulnerable to attacks, and leakages into the public domain can cause significant damage to businesses in terms of lost revenue, service downtime and brand reputation.
Interested in learning more about how you can enhance your API protection?