6 API security lessons from the Venmo breach

Earlier this summer, a computer science student was able to access information on seven million Venmo transactions, including the full names of people sending money through the platform. Last year, another researcher was able to download more than 200 million transactions.

This wasn’t a case of someone exploiting a vulnerability to hack into a system, or a company accidentally leaving a database in full public view. Venmo made the data accessible by offering a public application programming interface (API) — that allows the public to download the data. The available data includes names and transaction descriptions. Some transaction descriptions include details of illegal drug activity.

Divorce attorneys and IRS auditors could also potentially make use of this information, says Keith Casey, API problem solver at Okta, an access management company. “As a security issue, it also creates the opportunity for malicious actors to use this publicly available payment record for  social engineering  attacks,” he added. “With 40 million active users, Venmo’s APIs are an unlocked front door to a treasure trove of insights.”

Venmo isn’t alone. APIs are a major security headache for many companies. According to a  survey released late last year by Ping Identity, 60% of companies have more than 400 APIs, up from 46% a year earlier. In fact, 51% aren’t sure their security teams know about all the APIs that exist in the organization, and 45% aren’t confident in their ability to detect if a bad actor is accessing the APIs. “Security professionals need to get involved with the development of these APIs,” says Humberto Gauna, consultant at BTB Security.

Of course, in the case of Venmo, the open API seems to be a deliberate choice by the company, since it knew about the problem for a year. “The API functioned as it was designed,” says Gauna. “They have made some changes, so that those who are trying to harvest data can’t get it as quickly as before. But I wouldn’t call that security. It’s more of an inconvenience.”

Read full article at CSO magazine.