The phishing attack launched against Gmail accounts this week represents the opening of a new front in the cybersecurity war that strikes at the heart of the API economy.
Unlike other phishing attacks that require end user to log into a fake web site to give up their password, the phishing attack launched this week relied on a fake version a Google Docs was created by cybercriminals. The cybercriminals then asked end users for permission to read, write and access an end user’s emails stored on Gmail. Once that was given the attackers made use of tokens provided by the OAuth authentication protocol to access the user’s accounts without the end user ever having to give up their passwords.
Google shut down the attack quickly, but it’s estimated that about one million users where potentially affected. There are some basic Google security measures end users should routinely make use of to better secure their accounts, including making use of verification and security checkup services that Google provides.
But the most troubling thing about this attack is that it exploited one of the underpinnings of the API Economy. Application developers make extensive use of application programming interfaces (API) to connect applications. One of the most widely used protocols for authenticating applications that make use of APIs is OAuth. In fact, it’s estimated that OAuth is now employed across hundreds of thousands of applications. It’s popular because it provides a mechanism for establishing trust between applications. The issue rising now stems from the fact that OAuth is also used as an alternative to relying on passwords. That use case make OAuth implementations vulnerable to phishing scams.
The Gmail phishing attack, however, also illustrates the fundamental conflict that existing between application integration and IT security. In theory, the more integrated an application becomes with other applications the more value it has. But integration is also the enemy of security. All it takes is for one the weakest link in a chain of integrated applications to be compromised for every other application connected to that application to become potentially compromised as well.
There are, of course, API management platforms that provide higher levels of security across integration applications by implementing mechanisms that verify that the applications trying to invoke an API are legitimate. The challenge many IT security professionals are about to encounter is most of these APIs were developed independently of the applications they enable other applications to access. And just like any application the level of security implemented varies widely because most application developers still don’t spend enough time thinking about how to secure their applications much less the APIs used to access them.
At least half the traffic any Web application gets comes via an API. As microservices architectures based on containers that turn applications into smaller integrated modules that are easier to deploy and maintain become prevalent reliance on APIs is poised to exponentially increase. OAuth has been used to help secure those APIs. But if all it takes is for end user to be tricked into granting access to OAuth tokens is a phishing scam there’s going to be a lot more trouble ahead.
Obviously, it’s too late to turn the clock back on an API Economy that provides the underpinning for millions of mobile and Web applications. But at the very least IT security professionals should implement of review of how those APIs are implemented. Unfortunately, most of them are not going to like what they find.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.
Mike Vizard se spécialise dans l'informatique depuis plus de 25 ans et à ce titre, a publié et contribué à de nombreuses publications techniques, dont InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet et Digital Review. Il rédige actuellement des articles de blog pour IT Business Edge, et contribue à la rédaction d'articles pour CIOinsight, The Channel Insider, Programmableweb et Slashdot. Mike Vizard rédige aussi des articles traitant des nouvelles technologies Cloud pour SmarterMSP.