Skip to Content
Uncategorized

Warning Issued on Web Programming Interfaces

Tools that connect websites can also open up new security vulnerabilities, experts say.
August 5, 2009

The rapid growth of Web applications has been fueled in part by application programming interfaces (APIs)–software specifications that allow sites and services to connect and interact with one another. But at the DEFCON hacking conference in Las Vegas last weekend, researchers revealed ways to exploit APIs to attack different sites and services.

APIs have been behind the meteoric rise of many key social sites. The social-networking site Facebook, for example, won huge gains in popularity and attention after opening its site to applications written by outside developers using its API.

The API of the microblogging media darling, Twitter, is also credited with partly driving its popularity. John Musser, the founder of Programmable Web, a website for users of mashups and APIs, says that the traffic that comes into Twitter through APIs–for example, from desktop clients–is four to eight times greater than the traffic that comes through its website. “The API has been crucial to the success of that startup,” he says.

But researchers Nathan Hamiel of Hexagon Security Group and Shawn Moyer of Agura Digital Security say that APIs could also be exploited by hackers. They note that several APIs are often stacked on top of each other. For example, an API might be used by the developers of other websites who, in turn, publish APIs of their own. “There could be security problems at the different layers when this sort of stacking happens,” Hamiel says.

Hamiel also notes that APIs can open sites to new kinds of threat. For example, he points to APIs for building applications that work across multiple websites. These tools may allow developers to pull in content from third-party websites, but Hamiel says that this also opens up possibilities for attacks.

During his presentation Hamiel showed that an attacker might be able to use an API in unintended ways to gain access to parts of a website that shouldn’t be visible to the public. “Whenever you add functionality, you increase your attack surface,” Hamiel says, noting that what makes an API powerful is often the same as what makes it risky.

Programmable Web’s Musser says that many of the security risks introduced by an API are similar to those found in desktop computers. In both cases, he says, security vulnerabilities exist wherever there is an access point that an attacker might abuse. Any site that builds its API on top of another site’s API is relying on someone else’s security, and it’s not easy to look into what has been built to see how well it has been handled, Musser says. “Part of the fundamental issue is just how new the technology is,” he adds.

Jeremiah Grossman, founder and chief technology officer for WhiteHat Security, says that sites that publish APIs can find it hard to discover security flaws in them. He notes that often it’s difficult to tell how a third-party site is using an API, and if that site has been compromised by an attacker.

APIs are also harder to test than traditional websites, Grossman says. Though software tools have been developed that can analyze a site’s underlying code to pinpoint potential vulnerabilities, those tools won’t work for testing APIs. “It’s a lot more manual with a lot less automation, and it means, at the end of the day for the business, more expense,” he says.

But while experts agree that there’s no easy fix for the risks introduced by APIs, they also say the technology isn’t going away. “Websites are becoming Web services, and that trend isn’t going to stop,” Musser says.

Deep Dive

Uncategorized

Five poems about the mind

DREAM VENDING MACHINE I feed it coins and watch the spring coil back,the clunk of a vacuum-packed, foil-wrappeddream dropping into the tray. It dispenses all kinds of dreams—bad dreams, good dreams,short nightmares to stave off worse ones, recurring dreams with a teacake marshmallow center.Hardboiled caramel dreams to tuck in your cheek,a bag of orange dreams…

Work reinvented: Tech will drive the office evolution

As organizations navigate a new world of hybrid work, tech innovation will be crucial for employee connection and collaboration.

lucid dreaming concept
lucid dreaming concept

I taught myself to lucid dream. You can too.

We still don’t know much about the experience of being aware that you’re dreaming—but a few researchers think it could help us find out more about how the brain works.

panpsychism concept
panpsychism concept

Is everything in the world a little bit conscious?

The idea that consciousness is widespread is attractive to many for intellectual and, perhaps, also emotional
reasons. But can it be tested? Surprisingly, perhaps it can.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.