Ian Armas Foster is a researcher, big data analyst and writer at FireTail. Ian is also a content editor for Major League Soccer.
SiriusXM, like Hyundai, designed and deployed weak APIs into the wild.
According to FireTail’s First Law of API Security: If an API can be hacked and compromised, it will be. And indeed, security researchers found a vulnerability in myHyundai’s API that allowed a potential attacker to access functions that the app would allow, including starting the car, turning the lights on and off, locking the car and more.
This is a worst-case scenario for a breach of API security. Leaving an API endpoint online that does not require authentication is just asking for trouble, no matter how innocuous it may seem, as this provides an easy opening for hackers.
Researchers have proven that data stored in a browser's cache can be accessed.
Apps with leftover API credentials can be exploited by bad actors to create a bot army.
While the COVID pandemic is far from over, the era of the COVID exposure app may be. With Canada sunsetting its COVID alert app, it’s a good time to reflect on how in this case the API gave birth to the app instead of vice versa.