Technology Review - Published By MIT
Technology Review  in English | en Español | auf Deutsch | in Italiano | 中文 | in India
Advertisement

Warning Issued on Web Programming Interfaces

Tools that connect websites can also open up new security vulnerabilities, experts say.

By Erica Naone

Wednesday, August 05, 2009
smaller text tool iconmedium text tool iconlarger text tool icon

The rapid growth of Web applications has been fueled in part by application programming interfaces (APIs)--software specifications that allow sites and services to connect and interact with one another. But at the DEFCON hacking conference in Las Vegas last weekend, researchers revealed ways to exploit APIs to attack different sites and services.

Credit: Technology Review

APIs have been behind the meteoric rise of many key social sites. The social-networking site Facebook, for example, won huge gains in popularity and attention after opening its site to applications written by outside developers using its API.

The API of the microblogging media darling, Twitter, is also credited with partly driving its popularity. John Musser, the founder of Programmable Web, a website for users of mashups and APIs, says that the traffic that comes into Twitter through APIs--for example, from desktop clients--is four to eight times greater than the traffic that comes through its website. "The API has been crucial to the success of that startup," he says.

But researchers Nathan Hamiel of Hexagon Security Group and Shawn Moyer of Agura Digital Security say that APIs could also be exploited by hackers. They note that several APIs are often stacked on top of each other. For example, an API might be used by the developers of other websites who, in turn, publish APIs of their own. "There could be security problems at the different layers when this sort of stacking happens," Hamiel says.

Story continues below


Hamiel also notes that APIs can open sites to new kinds of threat. For example, he points to APIs for building applications that work across multiple websites. These tools may allow developers to pull in content from third-party websites, but Hamiel says that this also opens up possibilities for attacks.

During his presentation Hamiel showed that an attacker might be able to use an API in unintended ways to gain access to parts of a website that shouldn't be visible to the public. "Whenever you add functionality, you increase your attack surface," Hamiel says, noting that what makes an API powerful is often the same as what makes it risky.

Tags

API computer security DEFCON mashups web applications

Related Articles

Comments
Reply

Log In

Forgot your password?     Register »
Advertisement

Videos
Latest Videos
Prescription: Networking

Top Stories Of The Day

Technology Review November/December 2009

Current Issue

Natural Gas Changes the Energy Map
The United States has vast supplies of this cleaner fossil fuel. But how should we use it?
Featured Content
Sponsored by:
White Papers

Twelve ways to reduce costs with SQL Server 2008
Find out how to reduce costs and get more efficient

Download

Total Economic Impact of SQL Server 2008 Upgrade
Forrester reports on increasing productivity and management capabilities

Download 

Achieving Cost and Resource Savings with UC
How Office Communications Server R2 and Exchange Server can make your business smarter and more efficient

Download 

RSS Feeds

xml icon TR Top Stories
xml icon TR Editors' Blog
xml icon TR Video Blog
xml icon TR Video
Advertisement
Subscribe to Technology Review's daily e-mail update. Enter your e-mail address

TECHNOLOGY RESOURCES
Advertisement
MIT Massachusetts Institute of Technology © 2009 Technology Review. All Rights Reserved.