In August, dozens of organizations using Microsoft Power Apps inadvertently exposed 38 million records — COVID-19 contact tracing, job applicants' Social Security numbers, and even 332,000 email addresses and employee IDs used by Microsoft's own global payroll services.
In addition to Microsoft, other organizations affected included American Airlines; Ford; J.B. Hunt; and agencies in Indiana, Maryland and New York City.
According to researchers at UpGuard, the security firm that discovered the leaks, Microsoft Power Apps portals were easy to set up in such a way as to allow for public access.
"Multiple governmental bodies reported performing security reviews of their apps without identifying this issue," said the report.
The problem lay in how the system's application programming interfaces — the APIs — were configured.
"The tools that allow the creation of APIs are defaulted to make the data accessible to the public, and organizations must enable privacy settings manually," said Radu Crahmaliuc, security specialist at security firm Bitdefender.
Most of them didn’t, he told Data Center Knowledge.
"But that’s a problem not only with Microsoft Power Apps," he added. "It’s systemic. Amazon Web Services S3, Elasticsearch and MongoDB have all gone through similar experiences."
APIs allow different systems to exchange data. For example, a company might use an API to connect with a third-party service, set up an outward-facing API so that partners can interact with its systems, or use APIs to let mobile apps talk to back-end data platforms.
Since APIs are often used to provide access to the most critical data and systems, vulnerable APIs can be extremely damaging for companies.
According to Akamai, API communications now account for more than 83% of all Internet traffic.
And the API breaches are starting to pile up.
This past May, fitness company Peloton announced that it had exposed customer account data on the internet because of a faulty API that permitted unauthenticated requests. Anyone could access users’ account data from Peloton’s servers, even if the users set their account profiles as private.
Other companies in the news recently for API-related cybersecurity problems include Equifax, Instagram, Facebook, Amazon and Paypal.
In fact, according to an IBM Security X-Force report released last month, two-thirds of all cloud breaches are now due to misconfigured APIs.
"APIs present a significant security risk for businesses as they serve as the underpinnings and connective tissue for modern applications," said John Cosgrove, senior product manager for advanced bot protection at Imperva.
And companies probably have a lot more APIs than they think they do, said Jason Kent, hacker in residence at Cequence Security.
"APIs are now the fabric of all new apps, but they have been in use for many years by microservices and mobile app and cloud development teams," he told Data Center Knowledge. "Visibility is paramount to strong security so understanding how many APIs you have and how they operate will be key."
Who Watches the APIs?
One problem with API security is that it falls across several domains.
On the one hand, software developers typically set up APIs. But APIs typically serve business purposes and belong to individual business units.
And since APIs require authentication and authorization, security teams are responsible for locking them down or enforcing the use of API gateways.
And since APIs live in data centers and cloud environments, data center managers and operations teams might be responsible for setting up the core infrastructure and networking to allow them to function.
This results in a shared-responsibility model, said Jonathan Parnell, senior consultant for cloud and data center transformation at Insight.
"The challenge in a shared-responsibility model for APIs is who actually controls and owns what," he told Data Center Knowledge.
The business units, the security teams, the operations folks and the application developers all might have different ideas of what they want the API to do, how it should do it and what the limitations should be.
That could result in a lot of meetings to hash everything out, Parnell said.
As the number of APIs proliferates, and changes quickly, this becomes very difficult to manage.
The key, he said, is for companies to create basic standards and common practices for API deployments and involve all constituents in the creation of that governance structure.
"Everyone who touches that API should get together and agree on what those policies are," he said.
Otherwise, enterprises won't be able to build the API-first economies that many are now aiming for.
APIs are a particularly dangerous kind of attack vector because they are designed to move large quantities of data, or perform high-volume services.
For example, an API can be used to, say, request sensitive data or order a payment to be made.
And since APIs are designed to be used by computers talking to other computers, not by humans, the usual methods to stop bot attacks — like, say, CAPTCHAs — do not apply.
"Bots attack legitimate business logic," said Sandy Carielli, principal analyst at Forrester Research.
Companies need to be able to differentiate between bad bots and good bots, she said.
"So you need tools that go beyond traditional application protections," she told Data Center Knowledge.
For example, web access firewall vendors and content delivery networks have begun adding bot management to their portfolios, she said. There are also companies that specialize in bot management.
CAPTCHAs have a role, especially when the API is used to connect a system like, say, a mobile app that has a human user.
"But bot management solutions may also send bots to honeypots, delay bots, send back fake data and try other challenges," she added.
Bots can be used to attack APIs in other ways than just stealing data.
For example, they can flood a system with requests so that it is forced to shut down.
Or APIs can be used to buy concert tickets, limited-edition sneakers or hot gaming systems before real human customers can grab them, she said.
"We are even seeing bots weaponize vaccine availability," she said. "In India, bots overwhelmed the booking system, and criminals started to charge people to book slots."
It's Only Getting Worse
According to Salt Security, API attacks increased 348% in the first six months of this year, and 94% of companies had an API-related security incident in the past 12 months.
Meanwhile, the average number of APIs per company more than tripled, from 28 in July 2020 to 89 in July 2021, the report said, while the average monthly API call volume grew by 141% during the same period.
In the past 12 months, 55% of companies said they found vulnerabilities in their APIs, 19% had sensitive data exposed, 39% found authentication problems, 23% suffered denial-of-service attacks, 16% saw brute-force attacks or credential stuffing, and 12% saw scraping.
Only 6% of companies had no API-related problems.
Part of the issue, according to the report, is that too many companies are relying solely on developers to secure APIs.
"APIs require runtime protection and security controls external to the code to be protected," the report said.
There are also some basic steps that companies should be taking to secure their APIs, said Elad Koren, chief product officer at Salt Security.
That includes fixing and patching vulnerabilities, he told Data Center Knowledge, following authentication best practices, and using the OWASP API Top Ten list to identify and fix the most common weaknesses.