This week, look at the recently reported API vulnerabilities in the COVID-19 tracing app Aura and in Kubernetes, some API security best practices, and more!
This week, we take a look at the recently reported API vulnerabilities in the COVID-19 tracing app Aura and in Kubernetes, some API security best practices, and a talk on OWASP API Top 10 from DEF CON 2020.
Another mandatory COVID-19 tracing app, was found to leak personal information and health status of users. This time it was Aura, an app that Albion College in Michigan has made mandatory for all students.
Among other issues, such as hard-coded secret keys to the backend server, the app also had an API that allowed to enumerate account numbers. For a given account, one could get the COVID status of a student, the date of testing, and the student’s full name.
Lessons to be learned from this case are familiar:
Do not think that localhost calls are automatically safe. Attacks are often stacked and hackers can expand their attacks once they have passed the initial defense. If there is a vulnerable local proxy on a system that automatically trusts it, attackers can use it for their malicious activity.
After the special 100th edition last week, which was all about API security advice from the industry’s thought leaders, this week we are back to our regular API security news, and we have twice the number of them, from the past two weeks.
This week, look at recent vulnerabilities in Zoom and OkCupid, progress on the draft for OAuth 2.1, and a video tutorial on discovering leaky APIs.
Learn what are the most important API security threats engineering leaders should be aware of and steps you can take to prevent them
This week, see recent API vulnerabilities at Facebook and the campaing apps for US presidential election, a new book on the OpenAPI Specification (OAS), and more.
This week, look at the recent vulnerability in Cisco Data Center Network Manager, the API aspect of the data breach at MGM Grand Resort, and more.