Internet of Things, Smart Cities and API Security

Mamoon Yunus

Subscribe to Mamoon Yunus: eMailAlertsEmail Alerts
Get Mamoon Yunus via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Blog Feed Post

Justin Bieber and Selena Gomez ramp up on API Security

When your ex-girlfriend's Instagram gets hacked through an API security breach, and your risque pictures go viral, you rapidly try to understand the root cause of this breach and commit to becoming an API security expert.

Maybe that is expecting too much from Justin Bieber and Selena Gomez, however, it should be something that should make API security concerns viral and mainstream. Initially, the API security breach was purportedly limited to "high-profile" users ala Gomez, et. al.

The latest report shows that database of over 10,000 users may have been exposed and potentially over 6 million users' data scraped for sale @ $10/query. For details see:

Site sells Instagram users’ phone and e-mail details, $10 a search

Technical Details: Here are the steps that the hackers may have taken for this API Security Breach:
  1.  Pick outdated Instagram mobile app version 8.5.1
  2.  Create a valid Instagram account
  3.  Select password-reset option.
  4.  Use web-proxy servers to act like the mobile app calling the Instagram Servers.
  5.  Modify the request at the web-proxy with the user id of the celebrity.
  6.  The Instagram server would send a JSON-formatted response with personal information.
For this particular attack, it seems like a legitimate user session is first established. Then a password-reset request with a user id other than the initial user is sent to the Instagram server that leaks the *impersonated* user's email address and phone number via a JSON response. I wondered why a password reset would send this data in a JSON response - perhaps because the mobile-app validates it against what it has stored internally on the smart phone. The web-proxy in the middle doesn't care about this validation. Had JSON Web Encryption (JWE) been enabled on the JSON response, the web-proxy-in-the-middle attack would have only seen the encrypted data.

Read the original blog entry...

More Stories By Mamoon Yunus

Mamoon Yunus is an industry-honored CEO and visionary in Web Services-based technologies. As the founder of Forum Systems, he pioneered XML Security Gateways & Firewalls and was granted a patent for XML Gateway Appliances. He has spearheaded Forum's direction and strategy for eight generations of award-winning XML Security products. Prior to Forum Systems, Yunus was a Global Systems Engineer for webMethods (NASD: WEBM) where he developed XML-based business integration and architecture plans for Global 2000 companies such as GE, Pepsi, Siemens, and Mass Mutual. He has held various high-level executive positions at Informix (acquired by IBM) and Cambridge Technology Group.

He holds two Graduate Degrees in Engineering from MIT and a BSME from Georgia Institute of Technology. InfoWorld recognized Yunus as one of four "Up and coming CTOs to watch in 2004." He is a sought-after speaker at industry conferences such as RSA, Gartner, Web Services Edge, CSI, Network Interop, and Microsoft TechEd. Yunus has the distinction of showcasing Forum Systems' entrepreneurial leadership as a case study at the MIT Sloan School of Management. He has also been featured on CNBC as Terry Bradshaw's "Pick of the Week."