Ian Armas Foster is a researcher, big data analyst and writer at FireTail. Ian is also a content editor for Major League Soccer.
SiriusXM, like Hyundai, designed and deployed weak APIs into the wild.
According to FireTail’s First Law of API Security: If an API can be hacked and compromised, it will be. And indeed, security researchers found a vulnerability in myHyundai’s API that allowed a potential attacker to access functions that the app would allow, including starting the car, turning the lights on and off, locking the car and more.
This is a worst-case scenario for a breach of API security. Leaving an API endpoint online that does not require authentication is just asking for trouble, no matter how innocuous it may seem, as this provides an easy opening for hackers.
Researchers have proven that data stored in a browser's cache can be accessed.
Apps with leftover API credentials can be exploited by bad actors to create a bot army.
In March, the Texas Department of Insurance found that data relating to claims made between March 2019 and January 2022 had been compromised.