API Security | Jul 5, 2024 | 7 min read | By Savan Kharod | Reviewed by David Blažević
Savan Kharod works on demand generation and content at Treblle, where he focuses on SEO, content strategy, and developer-focused marketing. With a background in engineering and a passion for digital marketing, he combines technical understanding with skills in paid advertising, email marketing, and CRM workflows to drive audience growth and engagement. He actively participates in industry webinars and community sessions to stay current with marketing trends and best practices.
In a concerning report, Twilio has confirmed a security breach in its Authy app. An unsecured API endpoint allowed threat actors to access and verify the phone numbers of millions of Authy users, making them susceptible to SMS phishing and SIM-swapping attacks. This breach is reminiscent of a 2022 incident where Twilio’s security was compromised, leaking information about 75 million users.
Authy is a widely used multi-factor authentication app that provides two-factor authentication (2FA) to secure online accounts, generating time-sensitive codes that refresh every 20 seconds. The app is versatile and is compatible with Android, iOS, macOS, Windows, and Linux, and it stores codes on the cloud, ensuring users can always access their 2FA even if they lose their phone.
The breach exposed a glaring vulnerability in Authy's system, where threat actors could exploit the unsecured API endpoint to feed in large lists of phone numbers and the endpoint would then return numbers linked to Authy accounts along with other account information, compromising 33 million phone numbers registered on the app.
Despite its robust security measures, Authy’s reputation is now under scrutiny due to this latest breach.
In response to this breach, Twilio promptly released updates for its Android and iOS apps on July 1, alongside a news release detailing the incident. These updates were aimed to enhance security and protect users from further exploitation.
As the name suggests, an unauthenticated API endpoint is a route or URL inside an API that does not require any form of login or authorization for access. This means that anyone, without needing to verify their identity, can send a request to the endpoint and receive a response.
An unauthenticated endpoint can cause several security threats like:
Despite these threats, unauthenticated endpoints are a common occurrence because of the need for streamlined development, prioritizing functionality over security during the initial stages.
Protect your APIs from threats with real-time security checks.
Treblle scans every request and alerts you to potential risks.
Explore TreblleProtect your APIs from threats with real-time security checks.
Treblle scans every request and alerts you to potential risks.
Explore TreblleTo adapt to the need for rapid development, here are a few strategies you can use to protect inauthentic API endpoints without compromising on your development speed:
Protect your APIs from threats with real-time security checks.
Treblle scans every request and alerts you to potential risks.
Explore TreblleProtect your APIs from threats with real-time security checks.
Treblle scans every request and alerts you to potential risks.
Explore TreblleAuthenticated endpoints as the name suggests are endpoints that require proper authentication and authorization to revert on any request. Here’s a tabular comparison between the two based on their application, use cases, and several other factors:
Aspect | Authenticated API Endpoint | Unauthenticated API Endpoint |
---|---|---|
Access Control | Requires users or systems to verify their identity before access | Does not require any form of identity verification |
Security | Higher security due to authentication mechanisms (e.g., OAuth) | Lower security, susceptible to unauthorized access |
Usage Scenario | Used for accessing sensitive or restricted data | Used for public data or open-access resources |
Examples of Authentication Methods | API keys, OAuth tokens, JWT (JSON Web Tokens) | None |
Risk Level | Lower risk of abuse and data breaches | Higher risk of abuse, data breaches, and exploitation |
Data Exposure | Access to data is controlled and monitored | Data is potentially exposed to anyone who can reach the endpoint |
Implementation Complexity | More complex to implement due to authentication requirements | Simpler to implement, no authentication logic is needed |
Here’s a short video breakdown more on the difference between authenticated vs unauthenticated API endpoints:
Treating Your API Like Your Home 🏠 #shorts #api #developers
API security = safeguarding your home
Here are our top 4 picks when it comes to securing your APIs:
Graylog Open Source is a self-managed centralized log management solution designed for aggregating, analyzing, and managing log data. It helps organizations efficiently collect and interpret vast amounts of log data generated by IT infrastructure.
Graylog's robust log management and alerting capabilities make it an essential tool for maintaining API security by providing better threat detection using detailed logs.
OAuth Tools is a digital playground that lets you test the inner functioning of your OAuth. You can use this tool to decode tokens like JWT, Access Token, Refresh Token, etc.
Datadome is an API security tool that helps you safeguard your API endpoints from unwelcome bot attacks. The tool helps you set API call limit requests per endpoint so hackers and API explorers can’t use your APIs beyond a limit.
Treblle is an enterprise-grade API security tool that offers security, governance, and observability features. It helps monitor, secure, and manage your APIs effortlessly.
The tool also offers a proactive API security monitoring feature where the tool runs 15 security checks on every single API request and gives it one of three threat levels: Low, Medium, or High.
Protect your APIs from threats with real-time security checks.
Treblle scans every request and alerts you to potential risks.
Explore TreblleProtect your APIs from threats with real-time security checks.
Treblle scans every request and alerts you to potential risks.
Explore TreblleThe tool also checks your incoming traffic by default using an automatic IP reputation check to help you evaluate the threat potential of your API traffic spikes as they happen. This proactive approach is very helpful in preventing SQL injection attacks among others.
Treblle integrates seamlessly with existing workflows, enhancing the overall efficiency of API management.
The recent Twilio API breach serves as a critical reminder of the importance of securing APIs. An unsecured API endpoint in Twilio's Authy multi-factor authentication app allowed threat actors to access and verify the phone numbers of millions of users, exposing them to potential SMS phishing and SIM-swapping attacks.
While APIs are the backbone of seamless data exchange and functionality across platforms and applications, they also represent a significant attack surface that, if left unprotected, can lead to data breaches, unauthorized access, and substantial reputational damage.
Securing APIs is a fundamental aspect of safeguarding user data and maintaining trust. By using tools like Treblle, organizations can proactively manage their API security, prevent breaches like the one experienced by Twilio, and maintain the integrity and reliability of their digital services.
Protect your APIs from threats with real-time security checks.
Treblle scans every request and alerts you to potential risks.
Explore TreblleProtect your APIs from threats with real-time security checks.
Treblle scans every request and alerts you to potential risks.
Explore TreblleShadow APIs are endpoints no one remembers adding. They quietly handle traffic, increase risk, and often go unnoticed. In this article, we explore how they appear, why they matter, and how different tools including Treblle help detect and understand them before trouble starts.
Shadow APIs and Zombie APIs both pose security risks, but they aren’t the same. This article breaks down the key differences, risks, and how to detect both before they become a breach vector.
CORS errors are a common challenge when building APIs that interact with front-end apps on different domains. This guide explains what CORS is, why it matters, how to configure it across frameworks, and how to avoid the most common pitfalls.