What happens when the API is technically secure but the environment, whether widget, web site or mashup, is not? Recent security breaches in MySpace and Yahoo, which led to the release of semi-embarrassing photos of prolific celebs Paris Hilton and Lindsay Lohan, points out the added opportunities for hackers in the open web.
According to the CNET story the vulnerability was caused by a ‘deprecated API’, but it also appears to be a function of the interaction between two cooperating environments: a MySpace widget that in turn used a Yahoo authorization scheme. The vulnerability has been fixed but the step-by-step details are outlined by this Valleywag article.
And the folks over at F5 looked at this and asked: Is deprecation of APIs a security risk?. They call out some of the inherent issues with deprecating functionality in an online API: “Deprecation is to developers what quiescing is to database administrators and bleeding-off is to TCP-focused products. Deprecation can take years, as anyone familiar with the Java language specification can tell you…Deprecation in a Web-based API a la REST also increases the number of methods, scripts, or applications that have to be maintained and increases the potential security holes through which bad guys might be able to access private data – or worse.”
This isn’t the first time privacy-related mashup security has been newsworthy. Even two years ago just the prospect of open API-enabled security breaches was the centerpiece of a New Scientist story on Mashups as Hacker’s Dream. And “creative application” of available online personal data was used in the eye opening proof of concept we covered in Banned Books and the Big Brother Mashup, in which readers of subversive books got plotted on a Google Map.
And as the web opens and interconnects, we’ll certainly see more incidents of this type. Racy photos are one thing, but what if it is your medical history or financial records? And with multiple vendors, some of whom don’t have the policies and reputation of the big players, who is responsible for repairing and notifying you if such a breach occurs?