The disclosed API vulnerability in Moonpig is indicative of an area that is poorly documented, insufficiently logged, and routinely overlooked in security testing.
According to Trey Ford, global security strategist at Rapid7, APIs have been an area of concern in the cyber security community for years.
“An internet exposed API (Application Program Interface) is serving requests from the public internet,” he said. “This is further complicated by different developers using and expanding the API in unexpected ways. Moonpig, like many other organisations should be, is taking a hard look at the security of their APIs.”
In an email to IT Security Guru, Ford said that API attacks are inevitable, as it hasn’t yet been 90 days since photos were stolen over the Snapchat API. “Social media and mobile application APIs have been under constant attack as many APIs were never intended to be made publicly available,so they lack the security considerations anyone would expect of a service exposed to the public internet,” he said.
“This is further complicated by the fact that APIs have notoriously poor logging, which means companies are often blind to how those services are being used and abused.”
Ford also claimed that APIs are also hard(er) to test as unlike a website that can be crawled by a spider following links all over the page, few APIs have well documented, programmatic definitions. “This means that testing an API can be a time intensive, arduous process requiring the expensive attention of a specialist for each assessment,” he said.
Asked if the security of APIs is something that should fall under a vulnerability scan process, and therefore not something that is a regular occurrence, Ford said that testing APIs is considerably harder than standard websites, in that identifying the range of functionality and finding all the nooks and crannies in the code can be considerably harder than a website that is programmatically crawled.