Attacks on APIs are under-detected and under-reported, says Akamai report

A security researcher this week detailed how she found an application programming interface (API) flaw in a German student community app that could have exposed the personal information of hundreds of thousands of users.

The developer has patched the vulnerability, but it’s the latest example of security vulnerabilities that can be created in APIs unless application developers take more care in their coding.

That point was made clear in a report released this week by Akamai Technologies, part of its State of the Internet series, which found threat actors are increasingly taking advantage of security gaps in APIs.

“From broken authentication and injection flaws, to simple misconfigurations, there are numerous API security concerns for anyone building an internet-connected application,” Steve Ragan, Akamai security researcher and author of the report, said in a statement.

“API attacks are both under-detected and under-reported when detected. While DDoS attacks and ransomware are both major issues, attacks on APIs don’t receive the same level of attention, in large part because criminals use APIs in ways that lack the splash of a well-executed ransomware attack, but that doesn’t mean they should be ignored.”

APIs are supposed to be versatile, says the report, enabling ease of use and access for both the business and end-user. Most organizations use APIs in some fashion, either internally or externally, for customers or business partners, or a mix of both.

However, sometimes developers don’t get the balance right between ease of use and security.

For example, the report notes that in 2020, Twitter acknowledged that a large number of fake accounts were exploiting its API and matching usernames to phone numbers. The API function was supposed to make it easier for users to find friends, but malicious actors exploited this feature for data enrichment.

In another example, a security researcher this year showed he was able to identify members of closed groups on Facebook by using the social media giant’s API.

More seriously, says the report, criminals are actively seeking access to compromise accounts of the users of the API-based Twilio service. Twilio allows software developers to add the ability to make and receive phone calls, send and receive text messages, and perform other communication functions using its web service APIs. Compromised Twilio accounts could be used for general spamming, passive phishing, targeted phishing, and other fraud.

In February, a researcher showed that all of a group of mobile medical applications with APIs were vulnerable to broken object authorization, allowing personal information of users to be viewed. Nearly 80 per cent of the applications tested had hard-coded API keys (including some that never expire), tokens, private keys, and even hard-coded usernames and passwords as part of their design.

One reason for these mistakes is the rush to get software out the door. The Akamai report quotes a survey done for Veracode last year which said 48 per cent of organizations questioned admitted regularly pushing vulnerable code to market.

The Akamai report recommends these best practices for app developers and infosec pros:

–discover your APIs and track them as you would inventory;

–test them and understand their vulnerabilities. Start by looking for hard-coded keys, logic calls and whether API traffic could be compromised by an impersonation attack;

–leverage existing web application firewall infrastructure, identity management and data protection solutions, and specialized API security tools during the development and launch of an app;

–avoid creating unique policies for every API. Instead create blanket policies that can be reused;

–include stakeholders when developing APIs. That includes not only the development team but also the network, security, identity, risk management, and legal/compliance teams.

The report also says developers can take cues from the Open Web Application Security Project (OWASP) Top 10 Web Application Security Risks.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.