APIs make the world go round. They’re the underdogs of today’s hyper-mobile, microservice-driven landscape. They drive application development and innovations that range from complex industrial processes, to sharing a Corgi-butt GIF on a groupchat. However, despite their importance, mismanaged APIs also represent one of today’s greatest threats to the security of data. API token security is too often overlooked in favor of rapid time-to-markets, resulting in a recent study displaying the true threat of public API token exposure.
API Tokens: Passwords, But Sneakier
An Application Programming Interface (API) allows for the transfer of data across two different applications. Though this represents a new, streamlined frontier for work and play, this process immediately sets off alarm bells for the security-minded. If only one application demands authentication, the blast radius of account takeover attacks suddenly becomes a crater. At the same time, the sheer number of API calls made by complex apps would be a user interface nightmare if login info was requested at each step. API – or access – tokens aim to solve the security issue of API infrastructure. Here, the API acts as a lock, while a suitable access token will have the required grooves and ridges to turn its tumblers.
Secure API tokens are generally hardware-bound. When a user or application queries an API, the API first verifies that the username and password matches that of the payload. Once verified, the API drops an asset onto your browser for storage. Going forward – every time you query the API – it looks at this access token. The fact that access tokens appear device-specific seems like great news for DevSecOps, as it reduces the user’s own attack surface to an individual device. Even more secure are Single Sign-On tokens (SSOs) that act in a similar manner. Whilst traditional API access tokens might operate on a timer, SSOs allow for multi-site authentication, allowing a Facebook login to access a third-party API.
Thousands of API tokens exposed
While API tokens have revolutionized the landscape of user experience and cross-platform integration, the tokens themselves represent a key flaw. These tokens are small collections of code that are chock-full of highly specific info about the user. Despite their size, these snippets contain a lot of data.
The data-rich nature of API tokens – and their ubiquity across various database platforms – make them a natural target of cybercriminals. Researchers at JFrog scanned over 8 million open source artifacts in search of leaked API credentials. Their search covered PyPI, npm, and RubyGems – some of the most popular registries in the industry – and established a key precedent of API access tokens that were freely available to automated secret scanners.
One example that the researchers noted was of a leaked AWS access token left in a public PyPI project. Storing a AWS token itself isn’t necessarily unsecure, but only if that token refers back to the database – not the entire AWS account. Unfortunately, one slight misconfiguration can make the difference between safe database referral, and outright account takeover.
JFrog’s results showed that Amazon Web Services (AWS), Google Cloud Platform (GCP) and Telegram represented the most leaky API platforms. As the team continued to conduct research into what tokens were active, the data further shifted against GCP. Amazon developers ended up revoking 53% of all inactive tokens; GCP, on the other hand, revoked only 27%.
The risk that leaked API credentials entail cannot be understated. One of the world’s largest data breaches centered on a naive developer sharing his source code on Chinese Software Developer Networks (CSDN). From this screenshot came an API access token. The next piece of information to hit the public internet shocked investors and customers alike. Changpeng Zhao, CEO of Binance, released a Tweet: the company’s threat intelligence had detected 1 billion resident records being sold on the dark web. This included names, addresses, national IDs, and police and medical records. The sheer scale of this data breach is mind-boggling, with 1 billion making up 20% of all global internet users.
Thanks to the public exposure of just a single API credential, attackers were able to access internal Binance accounts, before moving with complete secrecy throughout the application landscape.
How To Protect API Tokens
To secure API tokens, it’s first vital to make all APIs that your organization depends on visible. Particularly within organizations that depend on or create their own custom APIs, a lack of documentation, alongside complete deviation from API specifications, is not an uncommon site. This used to severely limit the automated security offered by various security solution providers, but a new wave of API protection is paving the way toward adaptive, purpose-built protection.
With automated API discovery in place, it then becomes possible to dig deeper into the structure of each individual API, external to the endpoint on hand: a task ridiculous for any manual process, but perfectly suited for next-gen security solutions. From there, API protection needs to hone in on and identify the sensitive information that’s being handled by the various APIs. With each piece of the API security blanket in place, sensitive data can be fully overseen, preventing even advanced attacks that – whilst masquerading as normal access – actually attempt to squirrel it away.
As developers continue to provide access to sensitive information, it is vital that security remains at pace. The data governance that oversees the information within databases also needs to cover the APIs that ferry that information throughout networks. With data leakage and API abuse eliminated, industries and organizations can begin to fully optimize the highly-streamlined, hyper productive architecture of today.
