Security News
The web services 'n' security biz said, in a report released today, that three-quarters of all credential abuse attacks it detected in 2019 were targeted at banks' publicly available APIs. Akamai said it had "Observed 85,422,079,109 credential abuse attacks" over two years, spanning December 2017 to November last year.
According to data from Akamai, up to 75% of all credential abuse attacks against the financial services industry targeted APIs directly. According to the report's findings, from December 2017 through November 2019, 85,422,079,109 credential abuse attacks were observed.
The theft of access token represents a major API security risk moving forward, but also highlights how API risks can remain undetected for so long. API risk is rooted in a lack of visibility, not only into its traffic, but also into its flexible and powerful parameters, known as API specifications-or "Specs." DevOps and SecOps attempt to mitigate this risk by creating and maintaining API catalogs, which are a collection of its specs.
The social media giant said that on Dec. 24, 2019, it discovered a large network of fake accounts abusing a legitimate API function on its platform that, when used as intended, allows accounts to find Twitter users that they may already know by matching phone numbers to their Twitter account names. The bad actors were using this legitimate feature to uncover Twitter users - opening concerns that they could have potentially obtained the true identities of human rights activists or dissidents who go under pseudonyms on Twitter.
Twitter on Monday announced that it has suspended a large number of fake accounts that had exploited an API vulnerability to match usernames to phone numbers. The fake accounts were exploiting a feature meant to help users with newly created accounts find people they might already know on the online platform.
A Twitter API that's intended to help new account holders find people they may already know on Twitter has been abused by known and unknown actors to tie usernames to phone numbers and potentially de-anonymize certain users. "On December 24, 2019 we became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers. We immediately suspended these accounts and are disclosing the details of our investigation to you today because we believe it's important that you are aware of what happened, and how we fixed it," Twitter shared on Monday.
A Twitter API could have enabled outsiders to match users' phone numbers to their corresponding accounts and potentially unmask anonymous users of the social media site. Still, many users who wanted better account security have likely given their phone numbers to Twitter.
F5 Networks introduced NGINX Controller 3.0, a cloud-native application delivery solution to help organizations increase business agility, mitigate risk, and enhance their customers' digital experiences. NGINX Controller combines a broad set of app services, including load balancing, API management, analytics, and service mesh with an application-centric approach.
Exploits for Citrix ADC and Gateway flaw abound, attacks are ongoingWith several exploits targeting CVE-2019-19781 having been released over the weekend and the number of vulnerable endpoints still being over 25,000, attackers are having a field day. January 2020 Patch Tuesday: Microsoft nukes Windows crypto flaw flagged by the NSAAs forecasted, January 2020 Patch Tuesday releases by Microsoft and Adobe are pretty light: the "Star of the show" is CVE-2020-0601, a Windows flaw flagged by the NSA that could allow attackers to successfully spoof code-signing certificates and use them to sign malicious code or intercept and modify encrypted communications.
API abuse is an ongoing problem and is expected to escalate in the coming years, as the number of API implementations continues to grow. The OWASP API Security Project aims to provide software developers and code auditors with information about the risks brought on by insecure APIs.