API Security Weekly: Issue #10
Vulnerabilities
Another API vulnerability has been found in Google+ (we reported on the previous one in our first newsletter back in October). Turns out that an update that Google rolled out in November put user data at risk because permissions were not properly enforced. The API could provide access to user profile data even if the data was not public. Google did a good job disclosing it: they found it themselves, fixed it in 6 days, and they report there’s no evidence of any exploit.
Unprotected APIs
Ethereum wallets and mining equipment are getting hacked through JSON-RPC API. The API was designed to be used by applications running locally on the same server, so it has no protection by default. Unfortunately, some systems using the API have all interfaces open, thus exposing the API without any security on port 8545. The API gives you full access, and there have already been reports of millions of dollars worth of the cryptocurrency stolen through the API. https://goo.gl/vZpr5X