Product reviews, deals and the latest tech news

APIs are a goldmine for PII and social engineering, as the Twitter data breach demonstrates

A flaw in the Twitter API that was released in June 2021 (and later patched) has returned to plague the company. While one hacker in December claimed to be selling the personal information of 400 million users on the dark web, hackers only yesterday gave away the account information and email addresses of 235 million people.

Usernames, handles, creation dates, follower counts, and email addresses were among the data that was compromised. Collectively, threat actors can utilise these elements to construct social engineering campaigns that are designed to coerce victims into disclosing sensitive information.

Information disclosed was confined to what users voluntarily made public; nonetheless, the sheer number of accounts exposed in one place offers threat actors with a treasure trove of information that may be used to plan highly focused social engineering assaults.

A treasure trove for social engineers

A hacker can gather enough information from a user’s public profile to perform reconnaissance and create targeted phishing and other fraud campaigns if they have access to the user’s name, email address, and other contextual information.

“This leak essentially doxxes the personal email addresses of high-profile users (but also of regular users), which can be used for spam harassment and even attempts to hack those accounts,” said Miklos Zoltan, Privacy Affairs security researcher. “High-profit users may get inundated with spam and phishing attempts on a mass scale.”

Therefore, Zoltan suggests making unique passwords for each service in order to lessen the likelihood of account hijacking.

Social engineering’s role in API attacks

When a client connects to a third-party service’s API, sensitive information such as a user’s name, email address, and password might be intercepted by hackers if the API isn’t properly secured. So, API hacks give fraudsters a way to collect lots of people’s personal information at once.

A month ago, a threat actor applied to and was accepted by the FBI’s InfraGuard intelligence sharing programme, and then exploited an API flaw to steal the personal information of 80,000 executives from private companies and sell it on the black web.

Usernames, emails, SSNs, and DOBs were among the sensitive pieces of information stolen in this event, making it easy to launch social engineering or spear phishing campaigns.

API abuse has been on the rise, and according to Gartner, it will overtake SQL injection as the most common threat vector this year.

Taking ‘just work’ APIs to the next level

94% of IT decision-makers said they only fairly confidence in their organization’s ability to meaningfully minimise API data security risks, reflecting growing worry from the business community as a whole.

Business that rely on APIs will have to be more proactive about incorporating security into their products, and consumers will have to be more wary of suspicious communications.

According to Jamie Boote, associate software security consultant at Synopsys Software Integrity Group, “this is a classic example of how an unsecured API that developers build to ‘just work’ may stay unsecured, since when it comes to security, what is out-of-sight is often out-of-mind.” To prevent being a victim of a phishing scam, it is recommended that you delete any emails that claim to be from Twitter from this point forward.

Security for APIs and Personal Information

The requirement for today’s organisations to find and safeguard hundreds of APIs presents one of the primary obstacles in the way of resolving API breaches.

According to Chris Bowen, CISO of ClearDATA, “protecting enterprises from API assaults involves constant, thorough control of vendor management, and especially verifying that every API is appropriate for usage.” The risk is too high if businesses don’t try to handle it all.

Moreover, there is little room for mistake because even a single flaw might put sensitive user information at danger of being stolen.

For example, Bowen said that in healthcare, “where patient data is at danger, every API should cover multiple components such identity management, access management, authentication, authorization, data transit and exchange security, and trustworthy connection.

Security teams should also avoid the pitfall of depending too much on weak authentication methods like usernames and passwords to secure their APIs.

“In today’s context, standard usernames and passwords are no longer enough,” said Will Au, senior director for DevOps, operations, and site stability at Jitterbit.

Two-factor authentication (2FA) and/or secure OAuth authentication are now critical standards to implement.

Other measures, such as installing a WAF and keeping constant tabs on API traffic, can aid in the detection of malicious behaviour and lessen the likelihood of penetration.