Page 153 - Cyber Defense eMagazine September 2025

P. 153

Actual Vulnerabilities: When APIs Turned Into the Attack The vector

1. T-Mobile (2023)

37 million customers' personal information, including phone numbers, account details, and billing
addresses, was stolen by hackers using an exposed API. The worst part? For some queries, the API
didn't even require authentication.

2. Peloton (2021)

Even when set to private, a security researcher discovered that Peloton's API revealed users' location,
age, gender, and private profile information. An example of a classic shadow API error was the absence
of appropriate authorization checks.

3. Parler (2021)

Attackers used a poorly secured API without rate limiting to scrape millions of posts and videos from the
Parler platform.

Every case highlights the same issue: shadow APIs are more vulnerable to attacks because they are not
subject to the same scrutiny and hardening as "official" production APIs.

Why Conventional Defenses Are Ineffective

Many businesses believe their API gateway or WAF (Web Application Firewall) offers adequate
protection. However, these tools are only able to safeguard APIs that they are aware of. Due to their lack
of documentation, shadow APIs avoid:

• API inventories - because they’re undocumented.

• Gateway security - because developers directly expose them.

• Frameworks for testing - because they are not part of the CI/CD pipeline.

For this reason, shadow APIs are more than just a technical issue, they are a governance one.
Conventional defenses are predicated on visibility. Invisibility is ideal for shadow APIs.

How DevSecOps Creates Shadow APIs

Software delivery is accelerated by modern DevSecOps, but uncontrolled speed encourages shadow
APIs:

• Feature Velocity: APIs are deployed by development teams more quickly than security teams
can catalog them.
• Inadequate Documentation Culture: OpenAPI/Swagger APIs are pushed without
specifications.

148 149 150 151 152 153 154 155 156 157 158