Security News > 2021 > September > Payment API Bungling Exposes Millions of Users’ Payment Data
App developers have once again been accused of having butterfingers when it comes to API keys, leaving millions of mobile app users at risk of exposing their personal and payment data.
"But like so much of cybersecurity, it's a could-a, should-a situation:"CloudSEK has observed that a wide range of companies - both large and small - that cater to millions of users have mobile apps with API keys that are hardcoded in the app packages," according to CloudSEK researchers Arshit Jain and Sai Ahladini Tripathy.
In a nutshell, the penetration tester found API leakage that would let an attacker access more than 10,000 paid API keys and to use them to get free services or sensitive data.
Hardcoded API Keys Are a No-No. Salt Security's Isbitski noted that API keys are the equivalent of static passwords that organizations frequently use as a sole means of authentication, with IT teams failing to rotate them frequently enough, "If at all," while engineering teams "Often rely on API keys as a means of system integration or automation."
"Obtaining an API key is the equivalent of obtaining a working credential. Attackers craft requests to API endpoints using harvested API keys to gain access to data or functionality."
API security best practices including disallowing the embedding of API keys or secrets in applications or code, given how easily they can be harvested by attackers.
News URL
https://threatpost.com/payment-api-exposes-payment-data/174825/