Cyber Landscape Outlook 2024 - Free webinar with Mikko Hypponen, Sounil Yu & Ted Julian on 19th December 2023
Ian Armas Foster is a researcher, big data analyst and writer at FireTail. Ian is also a content editor for Major League Soccer.
SiriusXM, like Hyundai, designed and deployed weak APIs into the wild.
According to FireTail’s First Law of API Security: If an API can be hacked and compromised, it will be. And indeed, security researchers found a vulnerability in myHyundai’s API that allowed a potential attacker to access functions that the app would allow, including starting the car, turning the lights on and off, locking the car and more.
This is a worst-case scenario for a breach of API security. Leaving an API endpoint online that does not require authentication is just asking for trouble, no matter how innocuous it may seem, as this provides an easy opening for hackers.
Researchers have proven that data stored in a browser's cache can be accessed.
Flaws in a smart hot tub's API expose data
Apps with leftover API credentials can be exploited by bad actors to create a bot army.
In March, the Texas Department of Insurance found that data relating to claims made between March 2019 and January 2022 had been compromised.
While the COVID pandemic is far from over, the era of the COVID exposure app may be. With Canada sunsetting its COVID alert app, it’s a good time to reflect on how in this case the API gave birth to the app instead of vice versa.