This week, we have a vulnerability report from Alissa Knight on Fast Healthcare Interoperability and Resources (FHIR) APIs being potentially vulnerable to abuse, and more details on how the breach at MakerBot’s Thingiverse 3D printing repository website could lead to hijacking users’ 3D printers.
In addition, there’s an article summing up the increasing numbers of API attacks and breaches, and an upcoming Kuppinger Cole webinar on continuous API security.
The key finding is that although the APIs themselves are well-secured, there were serious shortcomings detected in the downstream mobile apps that consume the APIs. Knight concluded that these weaknesses in the “last mile” could seriously compromise both personally identifiable information (PII) and protected health information (PHI) of users. One app allowed accessing a whopping 4 million patient and clinician records when logged into as a single patient!
For the most part, Knight was able to compromise the systems using relatively simple techniques, leading to the conclusion that greater controls should be imposed on developers consuming these APIs. For API security practitioners, the recommendations for app developers are of most interest and include the following points:
Specific recommendations were made for the FIHR API owners as follows:
Further details have emerged this week on the recent website breach at the 3D printer manufacturer MakerBot. A leaked MySQL database was discovered on an AWS S3 bucket, containing not only users’ PII information but also, critically in some cases, OAuth tokens that could lead to a total takeover of the associated printers.
The further context came when a former MakerBot software developer, TJ Horner, disclosed on Twitter that up to 2 million users could have been impacted and that the OAuth tokens leaked were s0-called “God-tokens” that allowed full device access. In addition, the tokens were permanent (so no expiration to save you) and irrevocable (meaning that end-users themselves could not revoke them). The manufacturer contradicted these claims saying that only a “handful (less than 500) of real user data” were affected.
From an API security perspective, there are several lessons here:
Illustrating the urgency of improving API security is the article this week on Data Center Knowledge revealing the extent of API attacks and breaches in 2021. The highlight is that only 6% percent of companies surveyed reported no API-related security incidents in the past year. Mind boggles!
Readers of this newsletter will be familiar with some of the higher-profile breaches mentioned in the article, such as:
On Thursday 21 October 2021, Kuppinger Cole’s lead analyst Alexei Balaganski hosted 42Crunch co-founder and field CTO Isabelle Mauny as they discuss a new approach to ensuring continuous API security: using a shift left and shield right approach.
The webinar covers the following:
You can subscribe to this newsletter at APIsecurity.io.
Источник: DZone Securityapi 3d printer breaches fhir analysis and report