Wallarm unveiled its
API ThreatStats Report for
Q3 2024, revealing critical insights into the increasing number of API
vulnerabilities and breaches impacting industries worldwide. The report
confirms the trend of increasing numbers of API vulnerabilities across
sectors and an escalating threat landscape specifically targeting APIs
due to their accessibility and valuable data.
"During this
quarter, we saw a surge in API-related security flaws across a wide
range of industries, reminding us that API security is a truly
horizontal problem," said Ivan Novikov, CEO and Co-Founder of Wallarm.
"Additionally, we found that 32% of vulnerabilities are tied to
cloud-native software-a clear indicator that cloud infrastructure and
its associated APIs are becoming an increasingly attractive target for
cybercriminals. This trend underscores the need for robust security
solutions, particularly as organizations continue migrating critical
operations to the cloud."
Wallarm's researchers
uncovered a 21% increase in API vulnerabilities from the second quarter
of 2024. Additionally, the vulnerabilities had an average Common
Vulnerability Scoring System (CVSS) score of 7, with many scoring at
7.5, indicating high severity and reflecting how easily threat actors
can exploit API issues. The substantial growth in discovered
vulnerabilities highlights the expanding threat landscape, where APIs
remain a primary target for cyberattacks across multiple sectors.
Key insights on API Q3 data breaches include:
- Client-Side API Vulnerabilities Expose Hidden Risks Not Covered by the OWASP API Top-10: Many
breaches this quarter, like those at Hotjar, Business Insider, and
Explore Talent, originated from client-side API flaws, such as OAuth
misconfigurations and Cross-Site Scripting (XSS), which the OWASP API
Top-10 does not adequately address. Developers often mistakenly consider
OAuth a security improvement, but it becomes a critical weakness when
misconfigured, enabling account takeovers and large-scale data exposure.
These incidents reveal that client-side API security needs more
attention and a dedicated approach to prevent such breaches.
- API Misconfigurations Amplify Breach Scale:
Poorly secured APIs, especially those with weak authentication and
authorization controls, lead to large-scale breaches because attackers
can access and download entire datasets, not just isolated portions.
This finding was evident in incidents at Deutsche Telekom and Fractal
ID, where unauthenticated API access allowed attackers to exploit
massive amounts of personal data, tariff information, and user tracking.
Unlike traditional malware attacks that may target random subsets of
data, API breaches often result in complete data extraction, making the
impact far more severe.
- APIs Are a Common Weak Link Across Diverse Industries:
This summer's breaches affected a wide range of sectors, from
telecommunications (Deutsche Telekom) and transportation (Metro Pacific
Tollways Corporation) to blockchain and Web3 platforms (Fractal ID).
These incidents prove that no industry is immune, and API
vulnerabilities are a universal challenge across traditional and
cutting-edge tech landscapes. Securing APIs requires consistent,
industry-wide efforts to address evolving attack vectors.
As
detailed in the report, another key discovery this quarter is the
integral role of API security in AI systems. There is no AI without
APIs-they are essential in connecting models, data, and infrastructure.
API vulnerabilities directly impact AI functionalities, and AI features
can introduce unique vulnerabilities into APIs. Addressing AI exploits
and API vulnerabilities is crucial for comprehensive security, as they
are deeply interconnected.
The increase in API vulnerabilities
emphasizes the urgency for businesses to stay vigilant and invest in
comprehensive API security measures. Wallarm is the only solution that
unifies best-in-class API protection and real-time blocking capabilities
to protect the entire API and web application portfolio in
multi-cloud, cloud-native, and on-premise environments and empowers
organizations to defend against these growing threats.
To download the full API ThreatStats Q3 2024 Report, visit http://www.wallarm.com/resources/q324-api-threatstats-report.