This week, look at the recently reported API vulnerabilities in the COVID-19 tracing app Aura and in Kubernetes, some API security best practices, and more!

This week, we take a look at the recently reported API vulnerabilities in the COVID-19 tracing app Aura and in Kubernetes, some API security best practices, and a talk on OWASP API Top 10 from DEF CON 2020.

Vulnerability: Aura COVID-19 Tracing App

Another mandatory COVID-19 tracing app, was found to leak personal information and health status of users. This time it was Aura, an app that Albion College in Michigan has made mandatory for all students.

Among other issues, such as hard-coded secret keys to the backend server, the app also had an API that allowed to enumerate account numbers. For a given account, one could get the COVID status of a student, the date of testing, and the student’s full name.

Lessons to be learned from this case are familiar:

• Never allow any sort of account enumeration in your APIs.
• Prevent IDOR/BOLA attacks by enforcing authorization and letting each account to access their own data only.

We have previously covered API vulnerabilities in various coronavirus tracing apps in our issues 83 and 86.

Vulnerability: Kubernetes

Do not think that localhost calls are automatically safe. Attacks are often stacked and hackers can expand their attacks once they have passed the initial defense. If there is a vulnerable local proxy on a system that automatically trusts it, attackers can use it for their malicious activity.

#security #integration #api #apis #api security #newsletter #cybersecuity #api vulnerabilities