M&A and JWT Are Surprising Sources of API Threats, According to New Wallarm Report
2024年7月31日 - 9:00PM
ビジネスワイヤ(英語)
API ThreatStats Q2 ’24 Identifies Combination of Accelerating
and New Risks to API Security
Wallarm, the leading end-to-end API and app security company,
today announced the release of its Q2 API ThreatStats™2024 Report.
In a continuation of the Q1 ThreatStats Report, AI APIs continue to
intensify in volume and severity, contributing to several critical
exploits. The report also shines a spotlight on the significant
role that mergers and acquisitions (M&A) activity played in
exposing multiple organizations to significant risk, as well as the
surprising persistence of JSON Web Token (JWT) misuse across a wide
range of applications.
New Trends and Surprising Vulnerabilities
Among new observations in this quarter’s report is critical
security risks being introduced during M&A. The report
highlights significant examples of risk being introduced during an
ongoing M&A process and digs into the factors that make this an
ongoing issue. Notable incidents include: TestRail (Atlassian),
HelloSign (Dropbox), Duo (Cisco), and Authy (Twilio). These
platforms faced significant API breaches, underscoring the
importance of thorough security assessments and stringent security
protocols during M&A transitions.
A notable trend is that the misuse of JWT continues to pose
significant security challenges. Despite JWT’s widespread adoption
for securing API communications, proper implementation remains
difficult, leading to critical risk. Key issues identified include
a vulnerability in the Veeam Recovery Orchestrator, where use of a
hard-coded JWT secret exposed a critical security flaw allowing
attackers to forge tokens and gain unauthorized actions, an
authentication bypass vulnerability in Lua-Resty, and a JWT bomb
attack in Python-jose that can exploit the decode function and lead
to denial of service.
Despite its strong security focus, Grafana was found to have
several critical vulnerabilities this quarter, including a
vulnerability that allowed outside organizations to delete
snapshots with its key, a directory traversal flaw for .csv files,
and multiple OAuth issues, including account takeovers and token
leakages. These findings emphasize that even the most
security-conscious platforms are not immune to security flaws and
highlight the necessity for continuous monitoring and proactive
security practices.
AI API Exploits Continue to Accelerate
AI APIs accelerated at a surprising rate, with Q2 seeing a
threefold increase in API vulnerabilities observed in well known AI
systems, underscoring the growing importance of securing AI systems
as they become increasingly integrated into the digital
ecosystem.
“As we observed in last quarter’s report, AI is introducing new
risk into the API threat landscape at a concerning rate. As
organizations continue to focus on attacks targeting AI/LLM
systems, they are far too frequently unaware of the AI API-related
risk that is being introduced into their environments,” says Ivan
Novikov, CEO of Wallarm.
Notable issues include vulnerabilities in the AnythingLLM API
that allow arbitrary file deletion due to path traversal in the
logo photo feature and remote code execution using environmental
variables, to a directory traversal vulnerability in ZenML,
allowing unauthorized access to sensitive files.
To view the full Q2 API ThreatStats™2024 Report, please visit:
https://www.wallarm.com/resources/q224-api-threatstats-tm-report
About Wallarm
Wallarm, the integrated API and Application Security company,
provides robust protection for APIs, web applications,
microservices, and serverless workloads running in cloud-native,
hybrid cloud, and on-premises environments. Wallarm is the
preferred choice of hundreds of security and DevOps teams for
comprehensive discovery of web apps and API endpoints, protection
against emerging threats throughout their API portfolio, and
automated incident response to enhance risk management. Wallarm is
headquartered in San Francisco, California, and is backed by Toba
Capital, Y Combinator, Partech, and other investors.
View source
version on businesswire.com: https://www.businesswire.com/news/home/20240731549444/en/
Joe Valensky PRforWallarm@bospar.com