Prying-Eye Vulnerability: Direct-to-API Enumeration Attack Enables Snooping

October 1, 2019 | by CQ Prime Threat Research Team

Prying-Eye Vulnerability

The Prying-Eye vulnerability is an example of an enumeration attack that targets web conferencing APIs with a bot that cycles through (enumerates) and discovers valid numeric meeting IDs. If the common user practice of disabling security functionality or not assigning a password is followed, then the bad actor would be able to view or listen to an active meeting.

Numeric or alpha-numeric sequences are quick and easy mechanisms used to grant access to online resources at scale. When deployed with security disabled or ignored, these numeric identifiers become easy targets for automated attacks. The widespread use of APIs that connect web forms to backend systems, or to other applications make these types of automated attacks easier to execute. In the case of the Prying-Eye vulnerability, users should adopt the best practice of using vendor-supplied security functionality to protect their meetings, and if possible, confirm the attendee identities.

This vulnerability highlights the astronomical growth of API usage and the need to secure them not only from traditional vulnerability exploits, but from seemingly legitimate, yet automated bot attacks. Driven by mobile device ubiquity and the move towards modular applications where APIs are used as the foundational elements of the application business logic, direct-to-API attacks are increasingly common. By targeting the API as opposed to scripting a form fill, a bad actor can leverage the same benefits of ease of use, efficiency and flexibility that APIs bring to the development community.

  • APIs are the language of the Web: According to Gartner, By 2021, 90% of web-enabled applications will have more surface area for attack in the form of exposed APIs rather than the UI, up from 40% in 20191. Mobile and smart devices use API calls to ensure optimal performance and user experience. Yet at the same time, mobile applications can be analyzed to more easily program an attack, as highlighted in the Aite Group Analysis of Mobile Applications. As shown in the image below from SmartBear State of the API, 2019 Report, organizations are using APIs for many things, including to facilitate interoperation with other elements, reduce development time and extend functionality. In most cases, the APIs are exposed and commonly well documented, making the bad actors’ job easier.

Prying-Eye Vulnerability, enumeration attack

  • Stateless nature of APIs means better performance: By design, APIs are stateless, assuming that the initial request and response are self-contained, holding all the information needed to complete the transaction. Using an API directly, or in a mobile or web application improves user experience and overall performance. This makes it very easy for a bad actor to script and automate their attack.

The ubiquity and stateless nature of APIs are beneficial in many ways, but they also introduce numerous challenges that traditional security technologies cannot address.

  • No client-side footprint: By design, APIs do not assume a client-side component, so traditional defense techniques like Captchas or JavaScript/SDK instrumentation cannot help. This was the case in the Prying-Eye discovery and would be the same for any direct to API use case.
  • No corresponding browser application: The direct-to-API approach assumes that there is no corresponding browser or mobile app for user redirection and associated instrumentation and cookie assignment. The result is the API and associated application is left unprotected.

The Cequence Application Security Platform prevents enumeration attacks and API abuse using CQAI, a patented machine-learning analytics engine that detects the all of the application end points including web, mobile and those that are API-based. CQAI then analyzes the application requests to determine the intent and if deemed malicious, allows you to mitigate the attack through blocking, rate limiting, geo fencing, or deception.

Watch this 5-minute video to learn more:

1) Gartner, API Security: What You Need to Do to Protect Your APIs, August 2019

CQ Prime Threat Research Team


CQ Prime Threat Research Team

Additional Resources