Common API security issues: From exposed secrets to unauthorized access – Help Net Security

Summary: APIs are increasingly targeted by cybercriminals due to serious security vulnerabilities, including exposed secrets like passwords and API keys. Organizations are struggling to secure their APIs amidst a growing number of attacks and outdated security measures.

Threat Actor: Cybercriminals | cybercriminals
Victim: Various organizations | various organizations

Key Point :

  • 35% of exposed API keys remain active, increasing risks for privilege escalation and data breaches.
  • Secrets like passwords and API keys are most commonly found on platforms like GitHub, with significant exposure rates.
  • Organizations are using outdated security measures, with 84% lacking advanced API security protocols.
  • 95% of companies reported experiencing API security issues in the past year, impacting application rollout.
  • 29% of web attacks targeted APIs, with the commerce sector being the most affected.
  • Escape’s research uncovered over 18,000 exposed API secrets, with 41% classified as highly critical.

Despite their role in connecting applications and driving innovation, APIs often suffer from serious security vulnerabilities. Recent investigations reveal that many organizations are struggling with exposed secrets such as passwords and API keys, which attackers frequently misuse. The persistence of these vulnerabilities, coupled with outdated security measures, underscores a growing concern.

APIs security vulnerabilities

35% of exposed API keys still active, posing major security risks

Nightfall AI | State of Secrets Report | August 2024

  • Secrets like passwords and API keys were most often found in GitHub, with nearly 350 total secrets exposed per 100 employees every year.
  • 35% of all API keys discovered were still active — posing a major risk for privilege escalation attacks, data leaks, data breaches and more.
  • Passwords take the cake by comprising over half (59%) of detected secrets, with API keys following closely behind (39%).

APIs security vulnerabilities

Organizations use outdated approaches to secure APIs

Cloudflare | State of Application Security 2024 | July 2024

  • DDoS remains the most leveraged threat vector to target web applications and APIs, comprising 37.1 % of all application traffic mitigated by Cloudflare.

Security challenges mount as companies handle thousands of APIs

F5 | State of Application Strategy Report | June 2024

  • 90% of survey respondents said they manage fewer than 200 apps, which tends to decrease as digital transformation proceeds. At the same time, API counts only go up. More than 41% manage at least as many APIs as apps.
  • The proliferation of APIs has led companies to embrace new methods to manage and secure their growing networks. 95% have now implemented API gateways to provide authentication, validate requests, and rate limit traffic.
  • 43% have automated their security infrastructure for both apps and APIs.

APIs security vulnerabilities

95% of companies face API security problems

Fastly | API Security Study 2024 | March 20224

  • 84% of respondents admitted to not having advanced API security in place.
  • 95% of respondents said they had experienced API security problems in the last twelve months.
  • 79% had delayed the rollout or integration of a new application due to API security concerns.

API environments becoming hotspots for exploitation

Akamai | Lurking in the Shadows: Attack Trends Shine Light on API Threats | March 2024

  • A total of 29% of web attacks targeted APIs over 12 months (January through December 2023), indicating that APIs are a focus area for cybercriminals.
  • Commerce is the most attacked vertical with 44% of API attacks, followed by business services at nearly 32%.

APIs security vulnerabilities

Researchers discover exposed API secrets, impacting major tech tokens

Escape | API Secret Sprawl Study | February 2024

  • Escape’s security research team scanned 189.5 million URLs and found more than 18,000 exposed API secrets. 41% of exposed secrets were highly critical, i.e. could lead to financial risks for the organizations.

APIs security vulnerabilities

Source: https://www.helpnetsecurity.com/2024/08/19/apis-security-vulnerabilities