#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

API Security | Breaking Cybersecurity News | The Hacker News

Category — API Security
"Linguistic Lumberjack" Vulnerability Discovered in Popular Logging Utility Fluent Bit

"Linguistic Lumberjack" Vulnerability Discovered in Popular Logging Utility Fluent Bit

May 21, 2024 Cyber Attack / API Security
Cybersecurity researchers have discovered a critical security flaw in a popular logging and metrics utility called Fluent Bit that could be exploited to achieve denial-of-service (DoS), information disclosure, or remote code execution. The vulnerability, tracked as  CVE-2024-4323 , has been codenamed Linguistic Lumberjack by Tenable Research. It impacts versions from 2.0.7 through 3.0.3, with fixes  available  in  version 3.0.4 . The issue relates to a case of memory corruption in Fluent Bit's built-in HTTP server that could allow for DoS, information leakage, or remote code execution. Specifically, it relates to sending maliciously crafted requests to the  monitoring API  through endpoints such as /api/v1/traces and /api/v1/trace. "Regardless of whether or not any traces are configured, it is still possible for any user with access to this API endpoint to query it," security researcher Jimi Sebree  said . "During the parsing of incoming requests for the /api/
Code Keepers: Mastering Non-Human Identity Management

Code Keepers: Mastering Non-Human Identity Management

Apr 12, 2024 DevSecOps / Identity Management
Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or
The Secret Weakness Execs Are Overlooking: Non-Human Identities

The Secret Weakness Execs Are Overlooking: Non-Human Identities

Oct 03, 2024Enterprise Security / Cloud Security
For years, securing a company's systems was synonymous with securing its "perimeter." There was what was safe "inside" and the unsafe outside world. We built sturdy firewalls and deployed sophisticated detection systems, confident that keeping the barbarians outside the walls kept our data and systems safe. The problem is that we no longer operate within the confines of physical on-prem installations and controlled networks. Data and applications now reside in distributed cloud environments and data centers, accessed by users and devices connecting from anywhere on the planet. The walls have crumbled, and the perimeter has dissolved, opening the door to a new battlefield: identity . Identity is at the center of what the industry has praised as the new gold standard of enterprise security: "zero trust." In this paradigm, explicit trust becomes mandatory for any interactions between systems, and no implicit trust shall subsist. Every access request, regardless of its origin,
Google Chrome Beta Tests New DBSC Protection Against Cookie-Stealing Attacks

Google Chrome Beta Tests New DBSC Protection Against Cookie-Stealing Attacks

Apr 03, 2024 Browser Security / Session Hijacking
Google on Tuesday said it's piloting a new feature in Chrome called Device Bound Session Credentials ( DBSC ) to help protect users against session cookie theft by malware. The prototype – currently tested against "some" Google Account users running Chrome Beta – is built with an aim to make it an open web standard, the tech giant's Chromium team said. "By binding authentication sessions to the device, DBSC aims to disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value," the company  noted . "We think this will substantially reduce the success rate of cookie theft malware. Attackers would be forced to act locally on the device, which makes on-device detection and cleanup more effective, both for anti-virus software as well as for enterprise managed devices." The development comes on the back of reports that off-the-shelf information stealing malware are finding ways to steal cookies in a manner that al
cyber security

The State of SaaS Security 2024 Report

websiteAppOmniSaaS Security / Data Security
Learn the latest SaaS security trends and discover how to boost your cyber resilience. Get your free…
Microsoft Edge Bug Could Have Allowed Attackers to Silently Install Malicious Extensions

Microsoft Edge Bug Could Have Allowed Attackers to Silently Install Malicious Extensions

Mar 27, 2024 Vulnerability / API Security
A now-patched security flaw in the Microsoft Edge web browser could have been abused to install arbitrary extensions on users' systems and carry out malicious actions.  "This flaw could have allowed an attacker to exploit a private API, initially intended for marketing purposes, to covertly install additional browser extensions with broad permissions without the user's knowledge," Guardio Labs security researcher Oleg Zaytsev  said  in a new report shared with The Hacker News. Tracked as  CVE-2024-21388  (CVSS score: 6.5), it was addressed by Microsoft in Edge stable version 121.0.2277.83 released on January 25, 2024, following responsible disclosure in November 2023. The Windows maker credited both Zaytsev and Jun Kokatsu for reporting the issue. "An attacker who successfully exploited this vulnerability could gain the privileges needed to install an extension," Microsoft said in an advisory for the flaw, adding it "could lead to a browser sandbo
APIs Drive the Majority of Internet Traffic and Cybercriminals are Taking Advantage

APIs Drive the Majority of Internet Traffic and Cybercriminals are Taking Advantage

Mar 19, 2024 API Security / Vulnerability
Application programming interfaces (APIs) are the connective tissue behind digital modernization, helping applications and databases exchange data more effectively.  The State of API Security in 2024 Report  from Imperva, a Thales company, found that the majority of internet traffic (71%) in 2023 was API calls. What's more, a typical enterprise site saw an average of 1.5 billion API calls in 2023. The expansive volume of internet traffic that passes through APIs should be concerning for every security professional. Despite best efforts to adopt shift-left frameworks and SDLC processes, APIs are often still pushed into production before they're cataloged, authenticated, or audited. On average, organizations have 613 API endpoints in production, but that number is rapidly expanding as pressure grows to deliver digital services to customers more quickly and efficiently. Over time, these APIs can become risky, vulnerable endpoints.  In their report, Imperva concludes that APIs are now a
Cisco Fixes High-Risk Vulnerability Impacting Unity Connection Software

Cisco Fixes High-Risk Vulnerability Impacting Unity Connection Software

Jan 11, 2024 Vulnerability / Patch Management
Cisco has released software updates to address a critical security flaw impacting Unity Connection that could permit an adversary to execute arbitrary commands on the underlying system. Tracked as  CVE-2024-20272  (CVSS score: 7.3), the vulnerability is an arbitrary file upload bug residing in the web-based management interface and is the result of a lack of authentication in a specific API and improper validation of user-supplied data. "An attacker could exploit this vulnerability by uploading arbitrary files to an affected system," Cisco  said  in an advisory released Wednesday. "A successful exploit could allow the attacker to store malicious files on the system, execute arbitrary commands on the operating system, and elevate privileges to root." The flaw impacts the following versions of Cisco Unity Connection. Version 15 is not vulnerable. 12.5 and earlier (Fixed in version 12.5.1.19017-4) 14 (Fixed in version 14.0.1.14006-5) Security researcher Maxim Suslov has been cre
5 Ways to Reduce SaaS Security Risks

5 Ways to Reduce SaaS Security Risks

Jan 03, 2024 Attack Surface / SaaS Security
As technology adoption has shifted to be employee-led, just in time, and from any location or device, IT and security teams have found themselves contending with an ever-sprawling SaaS attack surface, much of which is often unknown or unmanaged. This greatly increases the risk of identity-based threats, and according to a recent report from CrowdStrike, 80% of breaches today use compromised identities, including cloud and SaaS credentials. Given this reality, IT security leaders need practical and effective  SaaS security solutions  designed to discover and manage their expanding SaaS footprint. Here are 5 key ways Nudge Security can help. Close the visibility gap Knowing the full scope of SaaS apps in use is the foundation of a modern IT governance program. Without an understanding of your entire SaaS footprint, you cannot say with confidence where your corporate IP is stored (Did someone sync their desktop to Dropbox?), you cannot make assumptions about your customer data (Did s
Tell Me Your Secrets Without Telling Me Your Secrets

Tell Me Your Secrets Without Telling Me Your Secrets

Nov 24, 2023 Developer Tools / API Security
The title of this article probably sounds like the caption to a meme. Instead, this is an actual problem GitGuardian's engineers had to solve in implementing the mechanisms for their new  HasMySecretLeaked service . They wanted to help developers find out if their secrets (passwords, API keys, private keys, cryptographic certificates, etc.) had found their way into public GitHub repositories. How could they comb a vast library of secrets found in publicly available GitHub repositories and their histories and compare them to your secrets without you having to expose sensitive information? This article will tell you how. First, if we were to set a bit's mass as equal to that of one electron, a ton of data would be around 121.9 quadrillion petabytes of data at standard Earth gravity or $39.2 billion billion billion US dollars in MacBook Pro storage upgrades (more than all the money in the world). So when this article claims GitGuardian scanned a "ton" of GitHub public commit data, t
27 Malicious PyPI Packages with Thousands of Downloads Found Targeting IT Experts

27 Malicious PyPI Packages with Thousands of Downloads Found Targeting IT Experts

Nov 17, 2023 Software Supply Chain / API Security
An unknown threat actor has been observed publishing typosquat packages to the Python Package Index (PyPI) repository for nearly six months with an aim to deliver malware capable of gaining persistence, stealing sensitive data, and accessing cryptocurrency wallets for financial gain. The 27 packages, which masqueraded as popular legitimate Python libraries, attracted thousands of downloads, Checkmarx said in a new report. A majority of the downloads originated from the U.S., China, France, Hong Kong, Germany, Russia, Ireland, Singapore, the U.K., and Japan. "A defining characteristic of this attack was the utilization of steganography to hide a malicious payload within an innocent-looking image file, which increased the stealthiness of the attack," the software supply chain security firm  said . Some of the packages are pyefflorer, pyminor, pyowler, pystallerer, pystob, and pywool, the last of which was planted on May 13, 2023. A common denominator to these packages is t
Alert: 'Effluence' Backdoor Persists Despite Patching Atlassian Confluence Servers

Alert: 'Effluence' Backdoor Persists Despite Patching Atlassian Confluence Servers

Nov 10, 2023 Cyber Attack / Threat Intelligence
Cybersecurity researchers have discovered a stealthy backdoor named  Effluence  that's deployed following the successful exploitation of a recently disclosed security flaw in Atlassian Confluence Data Center and Server. "The malware acts as a persistent backdoor and is not remediated by applying patches to Confluence," Aon's Stroz Friedberg Incident Response Services  said  in an analysis published earlier this week. "The backdoor provides capability for lateral movement to other network resources in addition to exfiltration of data from Confluence. Importantly, attackers can access the backdoor remotely without authenticating to Confluence." The attack chain documented by the cybersecurity entity entailed the exploitation of  CVE-2023-22515  (CVSS score: 10.0), a critical bug in Atlassian that could be abused to create unauthorized Confluence administrator accounts and access Confluence servers. Atlassian has since disclosed a second flaw known as  CV
Make API Management Less Scary for Your Organization

Make API Management Less Scary for Your Organization

Oct 24, 2023 API Management / Cybersecurity
While application development has evolved rapidly, the API management suites used to access these services remain a spooky reminder of a different era. Introducing new API management infrastructure with these legacy models still poses challenges for organizations as they modernize. Transitioning from monolithic architectures to agile microservices empowers developers to make quick changes. Using serverless technologies and containers enables rapid scalability. Adopting cloud-native API management further enhances developer productivity and leaves the ghosts of outdated operations behind. This blog uncovers the risks of neglecting API modernization and highlights how Gloo Gateway enhances upstream projects like Envoy with essential enterprise features like security, observability, and API controls. What's more, as a Kubernetes-native solution, Gloo Gateway seamlessly integrates with the Kubernetes API for easy deployment. Gloo Gateway adds enterprise capabilities to upstream open sou
API Security Trends 2023 – Have Organizations Improved their Security Posture?

API Security Trends 2023 – Have Organizations Improved their Security Posture?

Oct 03, 2023 API Security / Data Security
APIs, also known as application programming interfaces, serve as the backbone of modern software applications, enabling seamless communication and data exchange between different systems and platforms. They provide developers with an interface to interact with external services, allowing them to integrate various functionalities into their own applications. However, this increased reliance on APIs has also made them attractive targets for cybercriminals. In recent years, the rise of API breaches has become a growing concern in the world of cybersecurity. One of the main reasons behind the rise of API breaches is inadequate security measures implemented by developers and organizations. Many APIs are not properly secured, leaving them vulnerable to attacks. Moreover, hackers have developed sophisticated techniques that specifically target weaknesses within APIs. For example, they may leverage malicious code injections into requests or manipulate responses from an API endpoint to gain
APIs: Unveiling the Silent Killer of Cyber Security Risk Across Industries

APIs: Unveiling the Silent Killer of Cyber Security Risk Across Industries

Oct 02, 2023 API Security / Penetration Testing
Introduction In today's interconnected digital ecosystem, Application Programming Interfaces (APIs) play a pivotal role in enabling seamless communication and data exchange between various software applications and systems. APIs act as bridges, facilitating the sharing of information and functionalities. However, as the use of APIs continues to rise, they have become an increasingly attractive target for cybercriminals and a significant cybersecurity risk across various industries. This article dives into the world of APIs, exploring why they pose substantial cybersecurity challenges and providing real-world examples of API breaches across different sectors. Download  API Security Guide . The API Revolution The proliferation of cloud computing, mobile apps, and the Internet of Things (IoT) has accelerated the adoption of APIs. They serve as the building blocks of modern software applications, enabling developers to integrate third-party services, enhance functionalities, and c
Expert Insights / Articles Videos
Cybersecurity Resources