Cyberlands.io - API Penetration Testing
1. Clubhouse
Clubhouse API breach
Clubhouse, the audio chat app, revealed that an unknown user managed to share audio from several chatrooms to a third-party platform. The user did not necessarily hack into the app — which means the audio spill was a violation of the social network's terms and conditions. The user managed to connect to the application's programming interface(API) and get into multiple chat rooms, where they then obtained audio files and shared them on their site.

Clubhouse did not disclose precisely how many people were affected, but they managed to ban the user from their platform. To prevent such a breach from happening again, Clubhouse implemented new measures that strengthen their API's security. As a result of the breach, Agora, the API provider associated with Clubhouse, watched as their client's shares plummeted and went down 15.4%. For the users, there was not much of an impact besides the invasion of privacy.
2. Mobile banking in Russia - Money stolen
Russian banks API breach
In 2021 the Central bank of Russia warned companies about an ongoing scam where attackers make use of mobile banking applications to steal information of users and utilize it to make transactions. The attackers debug the banking apps, which then enables them to research the payment order and architecture of remote banking API calls.

Once the attackers know the user's account number, they can then create an order for the transfer of funds stating the victim as the sender. This leads to money being taken from the victim's account. Currently, the scheme has only been used to steal money from individuals' accounts, and no businesses have fallen victim.
3. British Aiways - 183m GBP fine
British Airways API breach
In 2018, British Airways suffered a breach that led to the theft of information belonging to 380,000 customers. Customer data was stolen directly from payment forms, but British Airways did not disclose what pieces of information were stolen exactly, only that the breach occurred on the website and mobile app.

Since Airways did not disclose what happened exactly, It's suspected that the breach was a result of vulnerabilities in the APIs that form part of the hosts that communicate back to the British Airways servers: As a result of the hack, Airways faced a fine of over 183 million pounds.
4. T-Mobile USA
T-Mobile USA API breach
T-Mobile informed 2.3 million subscribers through text messages that there was a breach in its website security through an undisclosed API. A hacker carried out this breach in an undisclosed country, which led to subscribers' personal account information exposure.

The hackers managed to access subscriber names, billing zip codes, email addresses, account numbers, and the type of accounts subscribers held. Fortunately, the company also informed its customers that credit card information, passwords, and social security numbers were not exposed. T-Mobile believes that about 0.2% of its subscribers were affected by the data breach, which equals roughly 200 000 affected users. As a result of the attack, T-Mobile's share prices went down 6.3%.
5. Facebook - circa 7m users affected
A recent Facebook photo API exposure led to a data breach that saw up to 6.8 million users being affected. The hack resulted from a Facebook login bug that enabled third-party developers to maintain access to photos shared within the service. This therefore allowed apps to store content for long periods even after the users demanded that the access be terminated, and the photos are deleted.

The attacker's identity wasn't disclosed, and there was a slight fall in Facebook's share price due to the attack.

Facebook API breach
6. US State Postal Service - 60m users impacted
United States Postal Service API breach
In 2018, an attacker managed to scrap USPS's database of over 60 million users. The attacker gained access to account numbers, email addresses, phone numbers, and campaign data. The breach went on unaddressed for a while, and it was due to an authentication issue that allowed unregulated access to an API-based service called Information Visibility.

The attacker, however, only gained access to a lot of user information, but they had no way to access and pinpoint a specific user. This helped to minimize the impact of the breach; hence there was not much damage done.
7. Fintech Venmo - 200m users impacted
Fintech Venmo API breach
The payment platform Venmo was breached recently as a result of the API that serves transaction descriptions being left unsecured. This breach led to the mass scraping of not less than 200 million transactions.

The data that was scraped included full names of users, the memos related to all transactions, and the transaction values. Some of these descriptions revealed all the private details of the transactors. The users were caught unaware as they did not know the exact extent of Venmo's public policy. The company itself maintained that the API was actually not breached, and it functioned as intended.
8. E-commerce JustDial - 100m users impacted
E-commerce giant JustDial API breach
JustDial, an Indian search engine and social market, was accused in 2019 of publicizing its database of customer details. More than 100 million users were affected when their details were leaked. These details included emails, names, phone numbers, dates of birth, professions, and photos. All the user information that was contained on the site was exposed.

The attack happened as a result of JustDial's API endpoints being publicly accessible. The endpoints had no security whatsoever, and the access was provided through unfettered APIs. This allowed anyone with access to the database to obtain whatever piece of information they want. This attack mostly affected users whose information was publicized.
9. Brasil FIESP
Brasil FIESP API breach
As a result of an API security controls failure, Brasil's FIESP (major trade union in San Paolo state) was under fire for exposing millions of data points, leaving over 130,000 exposed. The information included names, social security, identification numbers, and email addresses. One of the databases contained over 34.8 million entries.

The Industrial body was unwilling to accept that there was a breach, to begin with, and they announced that from their perspective, no databases were exposed. It's therefore difficult to understand who launched the attacks and how the users and the Industrial body were affected.
10. GitLab API vulnerability
GitLab API vulnerability
Gitlab recently paid an ethical hacker $3,000 for exposing a security loophole that could have led to data exposure in private GitLab groups. The ethical hacker Riccardo Padovani, a solutions architect, came across the vulnerability in November 2019. He then informed Gitlab about the vulnerability and indicated several search APIs that could lead to third parties being able to access private projects that were formerly public.

The security experts at GitLab then escalated the matter to GitLab's engineering team, and the vulnerability was patched in GitLab version 12.5.4.
Conclusion
It's clear from most of the attacks that APIs are vulnerable. If anything, this should encourage application developers to dedicate more time and resources towards the security issues and vulnerabilities associated with their APIs.

In most cases, only very small changes can be made to most of the APIs that are in use to yield significant benefits. Doing this can shield most companies and service providers from financial losses and humiliation due to API breaches. To discover what are low hanging cybersecurity fruits use our API penetration testing service.
Cyberlands.io Team