Let’s talk about a recent example of an API vulnerability that was exploited to gain access to data within the German government.
Recently we published our State of API security 2024 report, and in it, we highlighted a new API attack vector - APIs shipped with 3rd party COTS (commercial off-the-shelf) software.
Let’s talk about a recent example of an API vulnerability that was exploited to gain access to data within the German government. The German government had implemented Cisco’s Webex conference software and were using the on-premises version of Webex to store data so it would stay within Germany.
But in early May of this year, outside researchers discovered an IDOR/BOLA vulnerability that could have been exploited to access information about the times and dates of calls, as well as official’s names and personal meeting rooms, et cetera. A few months prior, Russia had published one of their meeting recordings held on the Webex platform, however, it has not been confirmed whether the incidents were connected.
The German government has since blocked access and stopped using Webex, but the incident has left many customers questioning the platform. As for Cisco’s Webex, they have responded with a security advisory in which they state that they are continuing to investigate vulnerabilities to strengthen their cybersecurity and avoid future vulnerabilities.
However, this incident serves to highlight how APIs present direct data access across modern software platforms.
When customers install third-party software nowadays, they often overlook the fact that this software is shipped with APIs, whether the customer knows it or not. For the German government, this meant that even their on-premises recordings sat behind APIs with vulnerabilities they were unprepared for. Customers are usually blind to these risks and don’t test or monitor these 3rd-party-provided APIs.
No one is exempt from cybersecurity risks and incidents. In an increasingly risk-filled landscape, API security is more important than ever.
Want to learn more about API security, or see how you can strengthen your API security posture? Schedule a free, 30-minute demo with FireTail today.