DX, API Design & Documentation

How Low-Tech Hackers Hack Your APIs in 15 Minutes or Less


Hackers like to hack; researchers like to research. Hackers also have creative interests. It is not always for academic reasons. They hack for fame, to be popular with friends, to create chaos, to disrupt your lifestyle, or just for fun. For the past 20 years, they also have financial incentives.

Conversely, researchers do it for intellectual stimulation.

When I was younger, I was part of the hacking community. Hackers cross the evil line and do things they are not supposed to. Hopefully, it is just immature and silly and not harmful. A hacker’s mentality is not normal, and that is something that you cannot plan for. You cannot plan for the chaos that may be created.

Say, for example, there is a stop sign which exists normally. Automated vehicles, as well as driver-driven cars, know that there is a stop sign. But, if a hacker can poison machine learning, automated cars may not know that there is a stop sign.

There was a hacker group a couple of years ago. They started reverse engineering some mobile apps and found a random mobile app with APIs. They would connect to such APIs connecting to an open system, and they would find data. They would gather data like admin access, user names, passwords, and other sensitive information.

Some attacks are Broken Object Level Authorization (BOLA) attacks, but not all are. They’re simple, open APIs identified by hackers and compromising large amounts of data. APIs lacking authentication controls allow anyone, including threat actors, access to potentially sensitive information. They download the app, decrypt it and get its source code. From the source code, the hackers get the APIs.

A modus operandi is they get API data from the older version and then wait for the next release. They then get the newer version. They target the newer APIs because the chances of them being vulnerable are high. They then try and connect through these APIs and breach the data. They took 15 minutes to hunt APIs. So, essentially, they performed a data breach in 15 minutes, all automated, all scripted, without almost any human effort.

Using this method, hackers can target mobile apps, web apps, serverless apps, and basically, any type of API. So, the attack surface is humongous. The fact that they can script it and look for new net APIs is a clever way to pull off a data breach.

Similarly, hackers get keys and tokens on the Cloud to perform a data breach.

Solutions and Tools

Tools like API Hunter and Shadow API can be used to avoid this. In addition, you can use the following solutions –

  • Detect your shadow and unregistered APIs.
  • Scan unauthenticated APIs – If they’re not authenticated and they have access to sensitive data, you have a data breach on your hand with a very low-tech attack.
  • Detect keys and tokens – Scan them for security and sensitivity.
  • Analyze your Cloud daily for personally identifiable information.

Himanshu Dwivedi

Himanshu Dwivedi

CEO of Data Theorem
Technology Executive - Started three companies, incubated one company, worked in four start-ups - Owner of one patent (7849504) - Published six different technology books

APIdays | Events | News | Intelligence

Attend APIdays conferences

The Worlds leading API Conferences:

Singapore, Zurich, Helsinki, Amsterdam, San Francisco, Sydney, Barcelona, London, Paris.

Get the API Landscape

The essential 1,000+ companies

Get the API Landscape
Industry Reports

Download our free reports

The State Of Api Documentation: 2017 Edition
  • State of API Documentation
  • The State of Banking APIs
  • GraphQL: all your queries answered
  • APIE Serverless Architecture