Posted on

API Security Weekly: Issue 169

This week, we have details of a vulnerability in the popular WordPress plugin, WP HTML Mail, which potentially exposed 20,000 WordPress sites, and a vulnerability in TeslaMate software exposing dozens of Teslas to remote access. On more positive news, we have an introduction to vAPI, an open-source laboratory for learning API security, and an article on how to reduce API attack surfaces.

Vulnerability: WordPress Sites Exposed by Insecure REST API

This week, we have another vulnerability in a WordPress plugin: this time, the popular WP HTML Mail plugin. The vulnerability is tracked as CVE-2022-0218 with a CVSS score of 8.3, and it was discovered by Wordfence researcher Chloe Chamberland. The vulnerability may have impacted up to 20,000 WordPress installations, rendering them vulnerable as a result of the cross-site scripting (XSS) bug courtesy of an unprotected REST API endpoint in the plugin.

Posted on

API Security Weekly: Issue 162

This week, we have details of compromised Google Cloud accounts being used to mine cryptocurrency (mainly with weak or no passwords on API connections), there’s an article on how GraphQL can be used as an API gateway (including security controls), a very comprehensive guide to all things relating to API security, and a new API security training course from AppSecEngineer.

Vulnerability: Compromised Google Cloud Accounts Used to Mine Cryptocurrency

The main story this week comes from HackerNews and describes how attackers are able to exploit improperly secured Google Cloud Platform (GCP) tenants. The impact on affected users included compromising their cloud resources, like uploading cryptocurrency mining software, and ransomware and phishing attacks.

Posted on

The Value of Internal APIs

Internal APIs are designed primarily to streamline software development and simplify systems and operational processes. These currently represent the vast majority of use cases.

Internal APIs are often overlooked since they are aimed at in-house developers. These types of APIs generally work with proprietary data specific to a company and its departments. Although this data must be protected, it must also be accessible to those who work with it. Internal APIs allow for exactly this kind of secure access, creating more efficient development cycles for their products.

Posted on

Absolutism Around API Tools Increases Friction And Failure

I know you believe your tools are the best. I mean, from your vantage point, they are. I also know that when you are building a new API tool, your investors want you to position your tooling as the best. The one solution to rule them all. They want you to work hard to make your tools the best but also make sure and demonize other tooling as being inferior, out of date, and something dinosaurs use.

I know this absolute belief in your tooling feels good and right, but you are actually creating friction for your users and potentially failure or at least conflict within their teams. Absolutism, along with divide and conquer strategies for evangelizing API tooling, works for great short term financial strategies but doesn't do much to help us on the ground actually developing, managing, and sustaining APIs.