With the growing popularity of APIs also increases the risks of security flaws. API security needs to be carefully considered right from the start of an API project and in API design. The Bitly/MSNBC case is a perfect example of why.
The Bitly/MSNBC Case
ComputerWeekly reported on 22 July 2014 a case where hackers abused the Bitly API in a novel attack. The attack was analysed and described in the Bitly API key and MSNBC unvalidated redirects post on the Websense Security Labs blog. The TV channel MSNBC is a business customer of Bitly. As such they can set up their own short domain URL, which are a more user friendly format. Every Bitly customer gets an API key to access the Bitly API to invoke features such as URL shortening. Hackers exploited the fact that they got hold of the API key of MSNBC. With that they changed the URL the MSNBC short URL was pointing to to some fake news site (see here, via Websense). Then this redirected short URL was spread via various Google and Yahoo! groups.
Luckily the damage was not huge. Surely, for MSNBC this has some negative effect (the URL was clicked 2,045 times) as they lose customer trust. Although this particular exploit is not too serious, it is quite easy to come up with really problematic cases if API security is not addressed very carefully. The Bitly developer portal provides some great recommendations about API best practices. While these are focusing on the Bitly API, the recommendations can be applied generally: For example, the API keys or any access tokes should be regarded and treated as secret data and not be exposed. Handling these should only happen on the server-side.
API Management and Security
A good way to be on the safe side is to use an established API Management solution. The 3SCALE solution covers five key elements to manage and control the access to data or services via APIs. Top priority is given to access control and security (see figure below). The 3SCALE API Management supports various security patterns out of the box:
- Standard API keys
- Application ID and key pairs
- OAuth 1.0
- OAuth 2.0
API providers can choose which of these patterns to secure their API is most appropriate related to their requirements. More details about these patterns and how they can be implemented can be found on the 3SCALE API Authentication support pages.
This Bitly/MSNBC report is one of the first and few about API security exploits. In fact, this particular exploit of malicious URL redirecting and misusing customers’ trust towards an organisation is the first of its kind, according to ComputerWeekly. As APIs become more and more mainstream, the number of such reports will naturally also increase.
APIs security must not be an afterthought. If you have particular questions about 3SCALE’s API Management and API security please get in touch with us.