This week, we check out the recent API-related vulnerabilities at Twitter and Grandstream Networks, the newly added support for mutual TLS (mTLS) in AWS API Gateway, and the API security episode in the Application Security Podcast.

Vulnerability: Twitter

A misconfiguration in the Twitter developer portal caused browsers to cache API keys, account access tokens, and account secrets.

It is highly unlikely that the vulnerability has been exploited. Not only would attackers have to had known about the vulnerability, they would also have needed physical access to the computers of their victims. That being said, this flaw could potentially had leaked these secrets on shared computers.

To avoid issues like this one, make sure you never cache any sensitive data on client-side.

Vulnerability: Grandstream Networks

Grandstream Networks is a global provider for IP video and voice services as well as WiFi and related services and equipment, and they operate in over 150 countries around the world.

The about 5 million Grandstream devices and services are managed in their GWN.Cloud management platform. Researchers from Pen Test Partners took a look at the platform and found vulnerabilities in the APIs behind it.

The web UI used an API to change device and network settings. When a user applied chang

#security #api #cybersecurity #apis #twitter #podcast #api security #newsletter #api vulnerabilities #aws api gateway