APIs (Application Programming Interfaces) have proliferated widely, which increases their susceptibility to various vulnerabilities. In the realm of web applications, prime examples that stand out are SOAP (Simple Object Access Protocol) and Representational State Transfer (REST) APIs. Due to their inherent complexity and the dynamic nature of software ecosystems, common vulnerabilities include inadequate authentication mechanisms and injection attacks such as SQL injection or cross-site scripting (XSS).

At Wallarm, we've been addressing API leaks for years, gaining deep insights into their causes and consequences. Through this experience, we've identified three critical factors behind a majority of these leaks.

"In our pursuit of innovation, understanding API leaks isn't just about data protection - it's about trust. By openly addressing vulnerabilities, we reinforce our customer’s systems and demonstrate integrity.”

- Ivan Novikov, CEO @ Wallarm

Shaped by real-world experiences and the challenges our clients face, here are a few significant insights:

1. Accidental Exposure Across Public Repositories

A common pitfall we've encountered is the exposure of private API specifications (or source code) across public repositories. When the Wallarm team was working with a customer, a similar situation occurred when the company tried to streamline collaboration between remote developers using GitHub. The customer accidentally pushed sensitive API keys and documentation to a public repository.

This mistake gave attackers unfettered access to their internal API mechanisms, leading to unauthorized data access. Such incidents underscore the delicate balance between collaboration and security.

2. Publicly Available In-Development & Private APIs

Another significant risk arises from the premature exposure of in-development APIs to the public. While such APIs mostly come equipped with debugging functionalities, they are not fully secured and can become gateways for data breaches.

The Wallarm team saw such a scenario unfold with an e-commerce client whose in-development API for order management was exposed to users without adequate security measures. As a result, attackers could access and manipulate customer data, leading to a severe breach. This experience highlighted the critical need for securing APIs at every stage of their lifecycle.

3. Releasing Unverified Integration Tools & Mobile Apps

The rush to release mobile apps, SDKs, and API scripts can sometimes bypass critical security verification steps. One case in particular that stands out for us involved a financial services firm that released a mobile app with hard-coded API keys. When the app was decompiled, it exposed sensitive financial data that inevitably put user privacy at risk. Similarly, a social media API's SDK was released without proper security checks, leading to the prolonged exposure of dozens of user tokens.

These incidents illustrate the dangers of overlooking security in the eagerness to facilitate API integration and usage.

Through years of addressing API leaks at Wallarm, these examples have been instrumental in refining our approach to API security. They serve as stark reminders of the importance of constant vigilance, thorough comprehensive security practices, and the continuous education for developers on secure coding practices.

At Wallarm, we have built a robust solution to manage API leaks and protect enterprise customers of any size by revoking leaked tokens. On a similar note, we also recently launched our NIST CSF 2.0 Dashboard aimed at assisting businesses in enhancing their cybersecurity frameworks and strategies.

Wallarm’s dashboard helps you:
- Align with NIST CSF 2.0 guidelines for an enhanced security posture
- Enhanced visibility, identify security gaps, and offer tailored implementation safeguards

Discover how Wallarm helps you secure your digital assets effectively.