Recent API vulnerabilities at Apple, Amazon, and 1Sambayan (Philippines opposition) volunteer app, and there is an upcoming API security webinar by Gartner.
Join the DZone community and get the full member experience. This week, we take a look at the recent API vulnerabilities at Apple, Amazon, and the volunteer coordination app of the Philippine opposition coalition, and there is an upcoming API security webinar by Gartner. Laxman Muthiyah was able to demonstrate how he could brute-force his way into taking over someone else’s Apple iCloud account by exploiting the password reset API endpoint. Apple’s Forgot Password function allows you to change your password by sending a 6-digit verification code to your registered phone number and email address. Muthiyah found that indeed Apple has some protection against attacks in place. For example, after 5 unsuccessful attempts the account was locked for a few hours: Since attackers likely won’t have access to the user’s phone and inbox, Muthiyah checked if he could programmatically try all the possible combinations (1 million combinations for a 6-digit code) and do that without the account being locked. This would require invoking the API from scripts, possibly from multiple machines at the same time so the system does not have time to lock the account: It turned out that the rate-limiting of that API was in fact a generic rate-limit across the whole API, not just dedicated to the password reset. Muthiyah could send 6 concurrent POST requests from a single IP address, and he found 6 separate API instances on the Apple side that he could invoke.
