T-Mobile announced that it had fixed a security issue in which anyone could query a T-Mobile API to gain personal information, including email addresses, device ID #s (IMSIs), and account details. All the attacker would need to do is change the phone number value in the API call and it would give the attacker all the information on that phone number. Essentially, an attacker could script this and run through all phone numbers to pillage account information for all T-Mobile customers.
Unfortunately, API vulnerabilities are extremely common. API’s are often overlooked when assessing the security of a web application because they don’t typically have a very visible front end. Users that want to query an API usually have to build an API call and submit it to the site. Since it’s not browseable when you’re on the website, it sometimes gets forgotten. This is unfortunate, as typically APIs contain a great number of vulnerabilities. In T-Mobile’s case, they simply didn’t tie this account data to the corresponding authenticated user. The API simply said ‘oh you want this information, here you go’, without checking WHO was accessing this data. It’s a fairly simple vulnerability that can lead to total compromise of all T-Mobile customer data.
APIs have also notoriously been difficult to test. Traditional automated scanners have a very difficult time finding vulnerabilities in an API since there’s no navigation to an API. Scanners see a website and find the links within a page to properly spider the entire application. Since the API requests are built, there’s nothing to navigate. I submit a link and I get data back. There are almost never links contained within the responses. This is where a typical dynamic scanner will fail.
We at WhiteHat know that APIs are the new way companies are building websites. APIs are great at making your application easier to integrate with other systems, as well as a great base for building any web application. In addition, we recognize that security around APIs is pretty abysmal at the moment. Since we have the human touch on our end (our Threat Research Center team), we’re able to get around the limitation of legacy scanning technology and are able to train and customize our scanning engines to navigate a company’s APIs. This ensures that the API has full coverage and can find vulnerabilities such as the one that was present in T-Mobile’s API. In addition, APIs take a special skill set to assess, which is why we built out a team of API experts to find vulnerabilities that no scanners can find.
The T-Mobile vulnerability just underscores that API security needs to be put at the forefront of application security. APIs are an often-overlooked aspect of a website and are extremely vulnerable to simple attacks. Make sure you’re looking at your APIs and get them tested!