Security News
Threat actors have been increasingly weaponizing Microsoft Graph API for malicious purposes with the aim of evading detection. This is done to "facilitate communications with command-and-control...
File hosting service Dropbox has confirmed that attackers have breached the Dropbox Sign production environment and accessed customer personal and authentication information. "Based on our investigation, a third party gained access to a Dropbox Sign automated system configuration tool. The actor compromised a service account that was part of Sign's back-end, which is a type of non-human account used to execute applications and run automated services. As such, this account had privileges to take a variety of actions within Sign's production environment."
Damn Vulnerable RESTaurant is an open-source project that allows developers to learn to identify and fix security vulnerabilities in their code through an interactive game. "I wanted to create a generic playground for ethical hackers, developers, and security engineers where they could identify, exploit, or fix vulnerabilities. Furthermore, security engineers could implement new vulns and test their detection tools because the Python FastAPI framework allows quick development," Krzysztof Pranczk, the creator of Damn Vulnerable RESTaurant, told Help Net Security.
95% of respondents surveyed by Fastly said they had experienced API security problems in the last twelve months. "The results of our survey show that decision-makers know that increased reliance on APIs creates a risk of serious cyberattacks. But so far they are not doing enough about it. This is surprising given that the operational and reputational cost of a breach far outweighs the price of deploying a consolidated web application and API security solution from a single provider," said Jay Coley, Senior Security Architect at Fastly.
Commerce is the most attacked vertical with 44% of API attacks, followed by business services at nearly 32%. APIs are vital to most organizations because they improve both employee and customer experiences. Cybercriminals have leveraged this digital innovation and the rapid expansion of the API economy to create new opportunities for exploitation.
Application programming interfaces (APIs) are the connective tissue behind digital modernization, helping applications and databases exchange data more effectively. The State of API Security in...
API integrations often handle sensitive data, such as employees' personally identifiable information, companies' financial information, or even clients' payment card data. Taking these measures will only grow in importance since more and more organizations are looking to build customer-facing API integrations.
In 2024, API requests accounted for 57% of dynamic internet traffic around the globe, according to the Cloudflare 2024 API Security & Management Report, confirming that APIs are a crucial component of modern software development. Poor API security practices can also have regulatory and legal consequences, cause disruption to company operations and even result in intellectual property theft.
A publicly exposed API of social media platform Spoutible may have allowed threat actors to scrape information that can be used to hijack user accounts. The problem with the Spoutible API. Security consultant Troy Hunt has been tipped off about the API by an individual who shared a file with 207,000 Spoutible user records - supposedly scraped via the API - and an URL that would allow Hunt to do the same with his own account.
The exposed secrets include hundreds of Stripe, GitHub/GitLab tokens, RSA private keys, OpenAI keys, AWS tokens, Twitch secret keys, cryptocurrency exchange keys, X tokens, and Slack and Discord webhooks. This approach shows how and where API secret keys and tokens are exposed in real-world settings, not only in code repositories.