Blog: Warning Issued on Web Programming Interfaces

Warning Issued on Web Programming Interfaces
Technology Review (08/05/09) Naone, Erica

Application programming interfaces (APIs), software specifications that allow Web sites and services to interact with each other, have been a major factor in the rapid growth of Web applications, but security experts at the DEFCON hacking conference revealed ways of exploiting APIs to attack different sites and services. APIs have been key to the success of many social sites. John Musser, founder of Programmable Web, a Web site for users of mashups and APIs, says that the traffic driven to Twitter through APIs, like from desktop clients, is four to eight times greater than the traffic that comes through Twitter's Web site. However, Nathan Hamiel from Hexagon Security Group and Shawn Moyer from Agura Digital Security say that APIs could be exploited by hackers. The security researchers note that several APIs are often stacked on top of each other. Hamiel says this kind of stacking could led to security problems on several layers, and that APIs can open sites to new kinds of threats. In the presentation, Hamiel demonstrated that an attack might be able to use an API in unintended ways to gain access to parts of a Web site that should not be visible to the public. Hamiel says whenever a site adds functionality it increases its attack surface, and the same thing that makes APIs powerful often makes them vulnerable. Musser says any site that builds an API on top of another site's API is relying on someone else's security, and it is difficult to determine what has been built to see how well it is handled. WhiteHat Security founder and chief technology officer Jeremiah Grossman says sites that publish APIs can find it difficult to discover security flaws in their own APIs, and it is often hard to tell how a third-party site is using an API and if that site has been compromised by an attacker.

View Full Article