6 lessons from Venmo’s lax approach to API security

Cyber criminals are targeting application programming interfaces to steal sensitive data. Recent exposures and hacks at companies like Venmo, Facebook and Google present lessons to improve API security.

venmo data breach lock security breach circuit board by weerapatkiatdumrong getty
weerapatkiatdumrong / Getty Images

Earlier this summer, a computer science student was able to access information on seven million Venmo transactions, including the full names of people sending money through the platform. Last year, another researcher was able to download more than 200 million transactions.

This wasn't a case of someone exploiting a vulnerability to hack into a system, or a company accidentally leaving a database in full public view. Venmo made the data accessible by offering a public application programming interface (API) — that allows the public to download the data. The available data includes names and transaction descriptions. Some transaction descriptions include details of illegal drug activity.

Divorce attorneys and IRS auditors could also potentially make use of this information, says Keith Casey, API problem solver at Okta, an access management company. "As a security issue, it also creates the opportunity for malicious actors to use this publicly available payment record for social engineering attacks," he added. "With 40 million active users, Venmo’s APIs are an unlocked front door to a treasure trove of insights."

Venmo isn't alone. APIs are a major security headache for many companies. According to a survey released late last year by Ping Identity, 60% of companies have more than 400 APIs, up from 46% a year earlier. In fact, 51% aren't sure their security teams know about all the APIs that exist in the organization, and 45% aren't confident in their ability to detect if a bad actor is accessing the APIs. "Security professionals need to get involved with the development of these APIs," says Humberto Gauna, consultant at BTB Security.

Of course, in the case of Venmo, the open API seems to be a deliberate choice by the company, since it knew about the problem for a year. "The API functioned as it was designed," says Gauna. "They have made some changes, so that those who are trying to harvest data can't get it as quickly as before. But I wouldn't call that security. It's more of an inconvenience."

Facebook has had similar API-related problems, he says. Like Venmo, Facebook user data was made public by default, and users would have to opt in to make their data more private. That's because Facebook was making money from its customers’ data, he says.

These are the lessons that can be learned from Venmo and other organizations that leave APIs open:

1. Pay attention to your partners

In April, security researchers at UpGuard found more than 540 million Facebook records in unsecured databases. The data was leaked by a Mexican media company, Cultura Colectiva, which accessed the Facebook data through an API. Other third parties have accessed Facebook data as well, including, most famously, Cambridge Analytica, which resulted in a $5 billion fine for Facebook from the Federal Trade Commission in July.

Facebook has recently suspended hundreds of apps and rolled out new rules restricting how developers can use the company's APIs. But the problem is that once a third party has collected the data, there's often no way to get it back.

Here the problem isn't the API itself, but Facebook's business decision to share too much user data with too many third parties. Companies will have to pay much closer attention to the businesses they share data with. For example, the California Consumer Privacy Act (CCPA) will require companies to track these data flows, and allow individuals to delete their data.

2. Make sure APIs are secured

In some cases, developers make mistakes when setting up an API, and unauthorized parties can hijack it to access data. Facebook has done that, too.

Last September, attackers accessed 50 million user profiles, forcing the company to shut down the "View As" feature that was at the core of the problem. Facebook CEO Mark Zuckerberg says that attackers had accessed the developer API. Then in December, Facebook admitted that a bug in its photo API affected up to 6.8 million users and 1,500 apps. Not to be left out, last October, Google admitted that a bug in its Google Plus API exposed private data of up to 500,000 Google Plus user accounts. Salesforce also admitted that it had an API bug last summer, exposing the data of its Marketing Cloud customers.

Panera Bread exposed 37 million customer records via its API and ignored the vulnerability for eight months. Another example of an API-related problem hit the news last spring when security researcher Karan Saini discovered an unsecured API between India's national ID database and Indane, an Indian utility company that led to more than a billion records being exposed.

3. Avoid accidental exposure

An even more common problem is when users accidentally expose APIs or give permission when they shouldn't. "Those tend to come up more often than someone actually hacking the API," says Mike Schuricht, VP of product management at Bitglass, a security vendor. For example, Office 365 users may give a third-party app permission to access their Office 365 account, he says. "Now that other app has back-end connectivity to an area where sensitive corporate information is stored."

Companies have to be able to continuously monitor access permissions to their data and systems, he says.

4. Beware of data breaches

Sometimes, an API can be exposed not through any fault of the enterprise or individual user, but as a result of vulnerabilities in the underlying technology. For example, this July, Lenovo disclosed a high severity vulnerability in Iomega and LenovoEMC network-attached storage products that could allow unauthenticated users to access files via the API. The vulnerability was discovered because security researchers found 36 terabytes of data that included sensitive financial information such as card numbers and financial records.

According to Gartner, API abuses will become the most common type of web application attack resulting in a data breach by 2022. In 2017, Open Web Application Security Project added a strong focus on API vulnerabilities to its OWASP Top 10 list. In January 2019, OWASP followed up with the launch of its API Security Project, with the first version of the API Security Top 10 list scheduled for release in the fourth quarter of this year.

5. Encrypt and authenticate

To lock down APIs, companies should make sure that the API traffic is encrypted, says Laurence Pitt, security strategy director at Juniper Networks. "Then use some form of authentication to allow access," he says. "Basic authentication would likely be enough, but if the data is sensitive, consider having the authentication backed by certificates."

That still leaves open the possibility that the credentials have been stolen, he says. In fact, according to a report released last year by Akamai based on more than 400 million login requests, 30% of all API authentication attempts are fraudulent.

6. Track how APIs are used

For added security, companies should track how the APIs are being used, says Peter Blum, VP of technology at Instart, a cloud security company. "If the same account is used from five different countries, that can help you narrow down if there's misuse going on," he says.

There are other protections that a company can implement, he adds. For example, if an API is meant to be accessed by a mobile app, there are ways to check if it's being used via some other platform. Companies should also follow security best practices when designing the APIs, he says, including protecting against SQL injections, cross-site scripting and similar attacks. "And if you have a web application firewall in front of your website, you want to do the same in front of your API," he added.

These are not new issues, says Avinash Ramineni, CTO at Kogni, an Arizona-based cybersecurity vendor. "They are not zero-day flaws," he says. "They are well understood and have been for a very long time."

Many companies don't pay enough attention to the fact that APIs are an entry point into their databases. "There aren't enough security personnel involved in the design of APIs," he says.

There are also new tools emerging, using machine learning and artificial intelligence to identify suspicious behaviors and protect APIs for attacks, he says. "It requires people, processes and tools to help address these challenges."

Copyright © 2019 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)