The Growing Threat of Broken Authentication Attacks on APIs

Written by

Application programming interfaces (APIs) are integral to the functionality of the internet today. By enabling communications between programs, they make many processes more efficient and convenient, from internal business operations to users logging into their accounts or submitting payments online. APIs are valuable tools for streamlining the exchange of information. Unfortunately, the unique benefits of APIs are accompanied by unique challenges regarding data security.

Additionally, because they handle a great deal of data from various sources, they can pose a significant risk when compromised. One common type of attack on APIs is broken authentication.

What is Broken Authentication?

Broken authentication, or broken user authentication, is a term that encompasses a handful of different weaknesses in an API’s user authentication process. This applies to APIs that lack authentication entirely as well as APIs whose authentication measures are weak or faulty in their design or implementation. In short, broken authentication is a category of flaws that allow bad actors to impersonate users to gain access to applications without authorization. They can use this access to steal data, take over accounts and complete transactions without the account owner’s knowledge. Many devastating attacks on high-profile organizations have used broken user authentication to obtain information or access businesses’ databases. 

What Causes Broken Authentication?

Many factors can lead to broken authentication in an API and allow unauthorized access, from flawed design to user error. In some cases, API developers do not program any authentication measures, thinking that only authorized applications will have access to the API’s endpoints. This means that anyone with knowledge of the API’s endpoints and query structure can gain access, regardless of authorization. This is becoming less common as cybersecurity professionals stress API security as a significant concern.

It is more likely that broken authentication will be caused by faulty authentication measures, such as improperly generated tokens. If an API generates access tokens that are predictable or poorly encrypted, it can be easy for an attacker to obtain the token through brute force. Another issue regarding tokens is when they are too long-lived; to be secure, API tokens should expire after a period of time, especially after password changes, account recoveries and similarly sensitive actions. Tokens can also be stolen and leaked if transported insecurely, which can lead to significant breaches and losses.

Besides tokens, APIs can be vulnerable to brute force or credential stuffing due to the nature of the authentication. If passwords are not sufficiently complex, there are no account lockout thresholds implemented, and multi-factor authentication is not in place, it becomes much easier for bad actors to gain access to applications and accounts that do not belong to them. Additionally, an API is vulnerable to attack if the API key is the only authentication material, as it can be obtained by criminals as well.

How to Prevent Broken Authentication

Developers and security teams must understand API security and take steps to prevent attacks of any kind, including broken authentication. The process of securing an API against broken user authentication attacks must be holistic and taken into consideration from the beginning. Implementing access controls for all sensitive data and areas is vital, as the purpose of authentication is to grant a user access to a resource restricted from those who cannot authenticate their identity. It is also important to check out all authentication features available for an API and employ any measures possible to increase layers of authentication.

As seasoned hackers will attest, access tokens are a significant part of securing an API against broken authentication. Tokens should be sufficiently long and unpredictable; if they are derived from user information, they should be thoroughly encrypted with secret keys to prevent attackers from guessing the token and gaining unauthorized access. Tokens should never be included in URLs or transported in unencrypted traffic, as they are liable to be obtained by criminals that way.

In addition to preventative measures, it is important to have an API security solution that can “profile the typical authentication sequence for every API flow to detect abnormal behavior, such as missing credentials, missing authentication factors or authentication calls that are out of sequence.” If the typical and correct operations are defined through extensive monitoring, logging and analysis of API traffic, then attacks, such as brute forcing or credential stuffing, can be identified and stopped in their tracks. API security solutions and practices should be evaluated for their ability to address these concerns.

Broken authentication can cause significant breaches in security, allowing attackers access to user accounts, sensitive data stores and API functionalities they are not authorized to use. This can lead to sizable losses for businesses and individuals if left unchecked and improperly guarded against. It is vital to consider all possible steps that can be taken to prevent broken authentication, as this is one of the most common methods of attack for criminals looking to breach APIs.

What’s hot on Infosecurity Magazine?