Risk Management

Now my Mum starts asking me about API Security

Instagram’s API Security bug

If you get questions from friends or family around topics than usual are things you consider important but have a certain “nerd factor” then something has gone wrong (or right, we will find out later in this post). The recent news about data leakage on Instagram–a growing App of the Facebook-Family which is focused on social Image sharing–did make it bad into the news. What happened? I had to explain it to my Mum and thought a few words on API Security for dummies would be helpful.

Instagram’s API Security bug

First, some prominent people got their Instagram accounts hacked, e-mail addresses, telephone numbers and usually very private pictures exposed. See: Hackers exploited an Instagram bug to get celebrity phone numbers and e-mail addresses.

But it did not stop here: An Instagram hack hit millions of accounts, and victims’ phone numbers are now for sale.

So far, so unlovely for Instagram users but the recent growth of attacks and leaks of data is only at the beginning. More and more exploits become public and the amount of personal information leaked is just about to explode. For those who start to be concerned about if their email address is on one of these hacks, feel free to go to https://haveibeenpwned.com/ by Australian Security Expert Troy Hunt and check your account. It’s not a shame to be there considering the big names of online service which are in his database of leaked accounts.

API security for dummies: implications and impact

So my mum started to ask me about the impact of somebody stealing her e-mail address or phone number. “First and foremost, spam in your inbox” was my reply but it does not stop here. SCAM like the IRS Tax scam will probably happen to US Instagram users too.

Unfortunately, mailboxes are pretty much the center of access to a lot of things from a users’ perspective, so if a hacker has a validated email address, getting access to this mailbox is just around the corner considering password quality these days. Pretty much all services rely on and e-mail verification and they allow to reset a password via e-mail too. Guess what you can do when you gain access to somebody’s mailbox. I can only recommend to setup two-factor protection mechanism for mailboxes.

What are the reasons?

But what’s the reason for the growing number of hacks and size of data being exposed. Well, from my perspective there are multiple reasons:

  • The first reason is that companies do not do a good enough job to protect their data and their customers.
  • Secondly, I believe that at the same time complexity to run apps, APIs and required speed of change have climbed at a level where an approach that is only relying on people (team size and culture might also have an impact) is not going to work anymore. Somebody is going to make a mistake and the system is going to fall apart. Automation is key, DevOps, CI and CD are buzzwords but they describe some principles that are very important in such a context. Would have proper API testing help to prevent such a case? Probably. Would have an API Security solution based on machine learning helped, probably too.
  • The last aspect is that users have also quite often taken the easy path selecting bad passwords or the same password for all service making it even more easy to hack them. Sorry, mum! In this Instagram example, it wouldn’t have made any difference but anyway it’s often enough the next level of the issue after the user’s email has been identified. Is it a user’s fault? I don’t think so, as today’s systems should support people in doing these things and it seems browser and smartphone OS have not made it easy and secure enough.

But coming back to my Mum, she actually understood that there is something wrong with the ways how Instagram has developed its system and she also understood that even selecting a good password would have not helped her.

Bad news for the future of APIs

Unfortunately, I had some bad news for her when we talked about it. APIs are growing in importance and they are going to be everywhere in the future (when they are not already everywhere). Despite a few regulation initiatives to secure data access–such as PSD2 in the banking industry–there are not many other such initiatives going on.

Fortunately, there are open projects such as OWASP who start to think of including API Security in their top 10 OWASP. The next Instagram example is just around the corner and the media can start drafting their articles. I’m just waiting for my mom to call her bank asking if proper API Security is in place …

For those who want to know what can be done to protect APIs against attacks, my previous blog post on the different API Security tactics might be worth a read.