APIs are the hidden cogs that keep many of today’s largest organizations turning over increasing profits. Despite the wealth of innovation and development spurred on by the microservices takeover, API security continues to lag behind egregiously. The problem has already reared its head throughout the early hours of 2023, losing customers millions.
Why API security is important
APIs have rapidly become the foundation of most modern web apps. Microservices refers to a highly API-driven approach to software development. Under a microservice ethos, applications are broken down from their traditional monolithic whole into a number of smaller, internet-connected mechanisms. These smaller independent services are able to become part of a bigger system via their APIs, which define the communication and flow of data between each service. A report focusing on mature organizations in 2021 found that 85% of global players rely on microservices, showing the sheer saturation of APIs throughout the enterprise space.
The splintering of enterprise tech stacks has created intensely complex environments, making it relatively easy for a single oversight to topple all preexisting security solutions. As microservices and cloud apps are driven by APIs, these scripts have become the new frontier of attack.
APIs are susceptible to a number of different attacks, a key one of which is the ‘man in the middle’. As the user’s session relays information to and from the core application, an attacker can intercept that flow of data. If this data is unencrypted, it becomes possible to see every piece of data that API handles. This can lead to the theft of session IDs – which is severe as outright credential theft. Even if an API relies on SSL/TLS encryption, the risk of a man in the middle attack is not completely nullified. Improper configuration can result in widespread leaks of end-user and sensitive enterprise information.
Another attack that APIs often find themselves falling foul of is injection. When an API dev does not carefully limit and define user input, an attacker can send malicious scripts straight to the application’s server.
The security concerns surrounding APIs are for good reason: the latest API attack has seen massive financial losses, directly impacting consumers.
The 3Commas Breach
3Commas is a crypto trading platform that allows users to use bots, which then automatically execute their trades across third-party crypto exchanges such as Binance and Coinbase. Throughout the last few months, large numbers of users have been voicing their concerns that the service had traded away funds without their consent. To silence some of the initial complainants, 3Commas was adamant that these users had likely been phished. The team insisted that the platform was safe.
The way in which the 3Commas platform links to other crypto exchanges is via API keys. When a user logs onto their third-party trading account, this generates a session ID, alongside other user-specific info. This key can then be plugged into 3Commas, granting the app’s bots access to any linked crypto accounts. While concerns around the security of the API were initially dismissed, on the 28th December an anonymous Twitter user leaked around 10,000 API keys – each of which belonged to a 3Commas’ user.
According to the user, they had obtained a database of 100,000 API keys. After the initial leak, the hacker stated that more will be leaked at random over the following week. Tracing the issue back to October 2022, 3Commas confirmed that while the initial illicit trades were a trickle, the post-leak problem had scaled up drastically to double their initial ferocity. 3Commas also acknowledged that users had lost a total of at least $6 million to the attackers within the first 3 months.
The API leak may have quashed the theory that this was a targeted phishing attack, but the question of where – and how – the leak arose remains. So far, 3Commas has committed to initial damage reduction, having pulled all API keys from connected trading platforms. However, the deeper ‘why?’ is still a mystery. Initially suspecting an inside attack, the company confirmed that there was no proof of such. For now, the investigation remains underway.
Prevent Losses with API Best Practice
API best practices involve recognizing the key role these mechanisms play within the transfer of sensitive data. This can be broadly split into two processes: authentication and authorization. While authentication focuses on verifying the identity of an end user, it also encompasses protocols to keep prying eyes away. For instance, the TLS protocol ensures any data sent from one service to another is consistently encrypted.
Authorization, on the other hand, determines which resources that each identified end-user can access. The ability for users to access API functions and operations that lie outside a predefined role can greatly increase the attack surface suffered by sprawling interconnected apps. The ability for users to access external API functions can also pave the way for attackers to escalate privileges, greatly increasing the blast radius of the attack.
Alongside the two As, overarching best practices include having pre-set API schemas. These clearly show the expected structure of every API call, allowing you to validate all calls against this list. This prevents any unexpected oversight from being leveled at you or your users. Alongside this, it’s also best to scan payloads associated with each call. This helps identify code injections and malicious entry declarations, all of which may have played a role in the 3Commas data breach.
It’s vital that API security is given the time and proactive attention it truly requires; devs are too often forced by tight time-to-markets into pushing out incomplete or insecure code. While an agile approach allows for the frequent squashing of bugs, too many security patches are simply too little, too late.
