API Security | Sep 27, 2024 | 7 min read | By Savan Kharod | Reviewed by David Blažević
Savan Kharod works on demand generation and content at Treblle, where he focuses on SEO, content strategy, and developer-focused marketing. With a background in engineering and a passion for digital marketing, he combines technical understanding with skills in paid advertising, email marketing, and CRM workflows to drive audience growth and engagement. He actively participates in industry webinars and community sessions to stay current with marketing trends and best practices.
In September 2024, the digital landscape faced a stark reminder of the vulnerabilities lurking within APIs. When Dotpe, a prominent Indian fintech startup known for revolutionizing payment solutions for the food and retail industry, suffered a massive API breach, sensitive customer data and critical business insights were laid bare. This incident not only jeopardized the privacy of millions but also exposed the weaknesses in API security practices that can affect businesses at any scale.
Dotpe provides digital payment and point-of-sale (POS) solutions that enable businesses to digitize operations and enhance customer interactions by allowing restaurants and cafes to offer contactless ordering through QR codes, an essential service during the COVID-19 pandemic. Dotpe quickly garnered attention and secured around $90 million in funding. High-profile clients include major chains like Social, Paradise Biryani, and international brands such as Pizza Hut and Starbucks.
However, this rapid growth came with a critical oversight—an unsecured API.
Protect your APIs from threats with real-time security checks.
Treblle scans every request and alerts you to potential risks.
Explore TreblleProtect your APIs from threats with real-time security checks.
Treblle scans every request and alerts you to potential risks.
Explore TreblleIt all started when the hacker, who goes by the name of “pea bee” on Twitter, visited a restaurant near his house. He ordered some drinks for himself using the QR code placed on his table.
He was expecting an OTP or some other form of authentication from the restaurant’s POS system, but to his surprise, he didn’t get any, and his order was on his table in less than 5 minutes.
That triggered him to study the QR ordering flow from his laptop, which revealed a glaring security flaw: Dotpe’s public API lacked essential authentication measures, leaving sensitive data exposed for anyone with basic technical knowledge to access.
Using just his browser’s developer tools, the hacker uncovered multiple vulnerabilities within Dotpe’s API, highlighting a significant oversight in security protocols.
The exposed APIs allowed unauthorized access to a wide range of sensitive data, including:
This breach left 37,529 restaurants and cafes vulnerable, including notable names that relied on Dotpe’s digital payment solutions.
Here’s a Twitter thread to understand the timeline of all the events that triggered this breach, what happened after that, and more.
The primary cause of the breach was the lack of API authentication. Dotpe’s public APIs, intended to support business operations like order tracking and insights generation, had no security checks to ensure authorized access. Without these safeguards, APIs become easy targets for malicious actors.
API authentication is a fundamental security requirement in today's API-driven landscape. Its absence led to hackers gaining what amounted to “admin-level access,” enabling them to:
Protect your APIs from threats with real-time security checks.
Treblle scans every request and alerts you to potential risks.
Explore TreblleProtect your APIs from threats with real-time security checks.
Treblle scans every request and alerts you to potential risks.
Explore TreblleAPI authentication is the process of verifying a client's identity (such as an application, user, or device) attempting to access an API. It ensures that only authorized entities can interact with the API and access its resources.
There are several common methods of API authentication:
Each one has its pros & cons and is used accordingly. For example, API Keys are simple but offer limited security, making them best suited for internal services, whereas OAuth is preferred for third-party integrations because of its enhanced security features.
API authentication is crucial in preventing API breaches because only authorized users or applications can access the API. By verifying the client's identity, API authentication blocks unauthorized access to sensitive data or services.
It’s important to note that authentication proves the identity of the client, while authorization determines what that client is allowed to do once authenticated. For example, after authenticating a user, an API may only grant access to specific data or functions based on that user’s role or permissions.
Strong authentication methods, like OAuth or JWT, prevent credential misuse, man-in-the-middle attacks, and API enumeration. If Dotpe had implemented OAuth or JWT, unauthorized access would have been prevented, as only authenticated users with valid tokens could access the API.
Additionally, features like token expiration, key rotation, and encrypted communication (via TLS) minimize the risk of breaches by reducing the chances of stolen credentials being exploited.
Proper API authentication acts as the first line of defense, protecting APIs from attacks and ensuring data security.
This breach could have been entirely avoided if Dotpe had implemented an API intelligence platform like Treblle. Here’s how Treblle would have made a difference:
Treblle’s API governance ensures that your APIs are built with security best practices from the ground up. Our automated scoring features would have flagged the lack of authentication during Dotpe’s API development, providing actionable insights to prevent such oversights before they reached production.
Treblle’s API Intelligence provides real-time insights into the performance and health of your APIs by analyzing 40+ API-specific data points across every single request made to the API. It helps teams detect issues like latency, failed requests, endpoint exploitation (like in the case with Dotpe), and more.
With Treblle, Dotpe would have quickly detected suspicious activity as the hacker attempted to exploit various endpoints.
Treblle’s focus on runtime security continuously scans live APIs for vulnerabilities. It would have identified Dotpe’s missing authentication and other design flaws before exploitation occurred. By alerting teams to issues such as missing tokens and weak encryption, Treblle could have enabled quick remediation of vulnerabilities.
The Dotpe API breach serves as a critical reminder of the need for robust API security measures. The absence of basic authentication left customer data and business reputations at risk. Security must remain a top priority as APIs increasingly drive operations across industries.
With solutions like Treblle, companies can transform their approach to building, shipping, and governing APIs, ensuring both functionality and security. Treblle’s blend of API governance, observability, and runtime security provides a comprehensive strategy to protect businesses from the devastating impacts of security breaches.
Imagine the potential risks if your business faced a similar breach. Don’t wait for an incident to occur. Explore how Treblle can safeguard your APIs and protect your customers today.
Protect your APIs from threats with real-time security checks.
Treblle scans every request and alerts you to potential risks.
Explore TreblleProtect your APIs from threats with real-time security checks.
Treblle scans every request and alerts you to potential risks.
Explore TreblleShadow APIs are endpoints no one remembers adding. They quietly handle traffic, increase risk, and often go unnoticed. In this article, we explore how they appear, why they matter, and how different tools including Treblle help detect and understand them before trouble starts.
Shadow APIs and Zombie APIs both pose security risks, but they aren’t the same. This article breaks down the key differences, risks, and how to detect both before they become a breach vector.
CORS errors are a common challenge when building APIs that interact with front-end apps on different domains. This guide explains what CORS is, why it matters, how to configure it across frameworks, and how to avoid the most common pitfalls.