In a concerning report, Twilio has confirmed a security breach in its Authy app. An unsecured API endpoint allowed threat actors to access and verify the phone numbers of millions of Authy users, making them susceptible to SMS phishing and SIM-swapping attacks. This breach is reminiscent of a 2022 incident where Twilio’s security was compromised, leaking information about 75 million users.
Authy is a widely used multi-factor authentication app that provides two-factor authentication (2FA) to secure online accounts, generating time-sensitive codes that refresh every 20 seconds. The app is versatile and is compatible with Android, iOS, macOS, Windows, and Linux, and it stores codes on the cloud, ensuring users can always access their 2FA even if they lose their phone.
The breach exposed a glaring vulnerability in Authy's system, where threat actors could exploit the unsecured API endpoint to feed in large lists of phone numbers and the endpoint would then return numbers linked to Authy accounts along with other account information, compromising 33 million phone numbers registered on the app.
Despite its robust security measures, Authy’s reputation is now under scrutiny due to this latest breach.
In response to this breach, Twilio promptly released updates for its Android and iOS apps on July 1, alongside a news release detailing the incident. These updates were aimed to enhance security and protect users from further exploitation.
What is an unauthenticated API endpoint?
As the name suggests, an unauthenticated API endpoint is a route or URL inside an API that does not require any form of login or authorization for access. This means that anyone, without needing to verify their identity, can send a request to the endpoint and receive a response.
An unauthenticated endpoint can cause several security threats like:
- Unauthorized Access: Anyone can access the endpoint, potentially leading to exposure to sensitive information.
- Data Exploitation: Malicious actors can exploit the endpoint to gather large amounts of data, as seen in the Twilio/Authy case.
- Service Abuse: The endpoint can be abused to overload the system with requests, leading to denial-of-service (DoS) attacks.
Despite these threats, unauthenticated endpoints are a common occurrence because of the need for streamlined development, prioritizing functionality over security during the initial stages.
How to protect unauthenticated API endpoint
To adapt to the need for rapid development, here are a few strategies you can use to protect inauthentic API endpoints without compromising on your development speed:
1. Implement Authentication and Authorization
- Authentication: Ensure that API endpoints require proper authentication, such as OAuth, API keys, or tokens. This ensures that only verified users or systems can access the API.
- Authorization: Beyond authentication, ensure that users have the correct permissions to access specific resources or perform actions.
2. Rate Limiting and Throttling
- Rate Limiting: Implement rate limits to restrict the number of requests a user or system can make to the API within a certain period. This helps prevent abuse and protects against denial-of-service (DoS) attacks.
- Throttling: Similar to rate limiting, throttling controls the rate at which requests are processed to manage load and ensure service availability.
3. Use HTTPS
- Always use HTTPS to encrypt data in transit, ensuring that sensitive information is not exposed to eavesdroppers or man-in-the-middle attacks.
4. Use API Observability tools:
- Leverage tools like Treblle to get detailed logs, metrics, and trace data about API requests and responses to monitor and debug suspicious activity quickly.
5. API Gateway and Web Application Firewall (WAF)
- Use an API gateway to manage and secure API traffic, including implementing security policies, rate limiting, and authentication.
- Deploy a Web Application Firewall (WAF) to filter and monitor HTTP traffic to and from the API, protecting against common web exploits.
6. Use Strong API Keys and Tokens
- Ensure that API keys and tokens are complex, unique, and rotated regularly. Do not hard-code them in applications or expose them in public repositories.
What is the difference between authenticated and unauthenticated API Endpoint?
Authenticated endpoints as the name suggests are endpoints that require proper authentication and authorization to revert on any request. Here’s a tabular comparison between the two based on their application, use cases, and several other factors:
Aspect | Authenticated API Endpoint | Unauthenticated API Endpoint |
---|---|---|
Access Control | Requires users or systems to verify their identity before access | Does not require any form of identity verification |
Security | Higher security due to authentication mechanisms (e.g., OAuth) | Lower security, susceptible to unauthorized access |
Usage Scenario | Used for accessing sensitive or restricted data | Used for public data or open-access resources |
Examples of Authentication Methods | API keys, OAuth tokens, JWT (JSON Web Tokens) | None |
Risk Level | Lower risk of abuse and data breaches | Higher risk of abuse, data breaches, and exploitation |
Data Exposure | Access to data is controlled and monitored | Data is potentially exposed to anyone who can reach the endpoint |
Implementation Complexity | More complex to implement due to authentication requirements | Simpler to implement, no authentication logic is needed |
Here’s a short video breakdown more on the difference between authenticated vs unauthenticated API endpoints:
Top 4 Tools to Protect Your APIs:
Here are our top 4 picks when it comes to securing your APIs:
1. Graylog for log monitoring
Graylog Open Source is a self-managed centralized log management solution designed for aggregating, analyzing, and managing log data. It helps organizations efficiently collect and interpret vast amounts of log data generated by IT infrastructure.
Graylog's robust log management and alerting capabilities make it an essential tool for maintaining API security by providing better threat detection using detailed logs.
2.OAuth Tools for OAuth Testing
OAuth Tools is a digital playground that lets you test the inner functioning of your OAuth. You can use this tool to decode tokens like JWT, Access Token, Refresh Token, etc.
3. Datadome for API Endpoint limiting
Datadome is an API security tool that helps you safeguard your API endpoints from unwelcome bot attacks. The tool helps you set API call limit requests per endpoint so hackers and API explorers can’t use your APIs beyond a limit.
4. Treblle: One platform for Everything APIs
Treblle is an enterprise-grade API security tool that offers security, governance, and observability features. It helps monitor, secure, and manage your APIs effortlessly.
The tool also offers a proactive API security monitoring feature where the tool runs 15 security checks on every single API request and gives it one of three threat levels: Low, Medium, or High.
The tool also checks your incoming traffic by default using an automatic IP reputation check to help you evaluate the threat potential of your API traffic spikes as they happen. This proactive approach is very helpful in preventing SQL injection attacks among others.
Treblle integrates seamlessly with existing workflows, enhancing the overall efficiency of API management.
Conclusion
The recent Twilio API breach serves as a critical reminder of the importance of securing APIs. An unsecured API endpoint in Twilio's Authy multi-factor authentication app allowed threat actors to access and verify the phone numbers of millions of users, exposing them to potential SMS phishing and SIM-swapping attacks.
While APIs are the backbone of seamless data exchange and functionality across platforms and applications, they also represent a significant attack surface that, if left unprotected, can lead to data breaches, unauthorized access, and substantial reputational damage.
Securing APIs is a fundamental aspect of safeguarding user data and maintaining trust. By using tools like Treblle, organizations can proactively manage their API security, prevent breaches like the one experienced by Twilio, and maintain the integrity and reliability of their digital services.
Secure your APIs before it’s too late. Book a call with our API expert or schedule a PoC.