Brian Krebs reported that thousands of documents, emails, spreadsheets, images and the names tied to countless mobile phone numbers all could be viewed or downloaded without authentication from the domain theblacklist.click. The directory also included all 388 Blacklist customer API keys, as well as each customer’s phone number, employer, username and password.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
This is a perfect example of how an API can be used to foster partnerships, but lacking in execution with all too common API authentication errors being made. API keys are a good start, but stronger authentication may be in order to protect the customer data. The more significant error was exposing the API keys in a publicly accessible storage mechanism. These types of errors seem to occur weekly. Do the developers really understand the ramifications of public-facing APIs and data? It\’s exposed to everyone. It\’s a simple question, but what else can explain the repetitive nature of these basic errors?