Security News

Application programming interfaces (APIs) are the connective tissue behind digital modernization, helping applications and databases exchange data more effectively. The State of API Security in...

API integrations often handle sensitive data, such as employees' personally identifiable information, companies' financial information, or even clients' payment card data. Taking these measures will only grow in importance since more and more organizations are looking to build customer-facing API integrations.

In 2024, API requests accounted for 57% of dynamic internet traffic around the globe, according to the Cloudflare 2024 API Security & Management Report, confirming that APIs are a crucial component of modern software development. Poor API security practices can also have regulatory and legal consequences, cause disruption to company operations and even result in intellectual property theft.

A publicly exposed API of social media platform Spoutible may have allowed threat actors to scrape information that can be used to hijack user accounts. The problem with the Spoutible API. Security consultant Troy Hunt has been tipped off about the API by an individual who shared a file with 207,000 Spoutible user records - supposedly scraped via the API - and an URL that would allow Hunt to do the same with his own account.

The exposed secrets include hundreds of Stripe, GitHub/GitLab tokens, RSA private keys, OpenAI keys, AWS tokens, Twitch secret keys, cryptocurrency exchange keys, X tokens, and Slack and Discord webhooks. This approach shows how and where API secret keys and tokens are exposed in real-world settings, not only in code repositories.

Key ways to manage shadow APIs entail API documentation and inventory, API Discovery, API validation, and comprehensive visibility into the security of API endpoints. This requires a solid process for publishing APIs with proper documentation which records how the API behaves and how it interacts with other APIs.

Exposed Docker API endpoints over the internet are under assault from a sophisticated cryptojacking campaign called Commando Cat. "The campaign deploys a benign container generated using...

An exposed Trello API allows linking private email addresses with Trello accounts, enabling the creation of millions of data profiles containing both public and private information. In a conversation with emo, BleepingComputer learned that a publicly exposed API was used to associate email addresses with public Trello profiles.

Toyota Tsusho Insurance Broker India, an Indo-Japanese joint insurance venture, operated a misconfigured server that exposed more than 650,000 Microsoft-hosted email messages to customers, a security researcher has found. Zveare then examined the calculator web page on the TTIBI website and saw that it included a client-side function that created a request to send email using a server-side API. "This caught my eye because this was a client-side email sending mechanism," he wrote in a post describing his findings.

Have I Been Pwned has added almost 71 million email addresses associated with stolen accounts in the Naz.API dataset to its data breach notification service. The Naz.API dataset is a massive collection of 1 billion credentials compiled using credential stuffing lists and data stolen by information-stealing malware.