This week, the OAuth 2.0 Token Exchange got its RFC, and there is an upcoming webinar on JWT. In addition, we take a look at where to start with securing your APIs, and how 2020 seems to be shaping up according to analysts.
IETF has published the RFC 8693 for OAuth 2.0 Token Exchange.
This week, we look at API vulnerabilities in Kubernetes and 3Fun, upcoming API Specification Conference, and slides from EIN 2019 conference presentation.
Kubernetes has fixed the API vulnerability CVE-2019-11247.
This week, we take a look into API vulnerabilities found in Tinder and Axway SecureTransport. In other news, FTC and Equifax have reached a settlement related to the 2017 breach, and the slides for an API security talk have been posted.
Sanskar Jethi has found that Tinder enforces its premium features (such as unblurred images of those who like you) to be available for premium membership only in the app, not in the API. Their API actually delivers regular, unblurred images to everyone.
As we are wrapping up 2018, you can’t help looking back at the record number of high profile API breaches that happened this year and wondering what can be expected next year. However, it is not all about the holiday mood: this week was also marked by a security hole in mutual TLS authentication in the Go language, XSS at Google Code-in, another Facebook glitch, hundreds of vulnerable Kubernetes deployments, and an announcement of the upcoming healthcare API standards in the US.
The big one this week is the mutual TLS authentication issue in the Go language. The vulnerability that got fixed this week allowed attackers to launch CPU DoS attacks. With Go being one of the most popular programming languages in the microservices and backend implementation world and mutual TLS is one of the most popular security mechanisms, the impact of the vulnerability is significant.
