Origin

The Unseen Storm: Securing APIs and Protecting Against Key Exposure This week on Upwardly Mobile, we delve into the hidden dangers lurking within seemingly simple applications and the advanced solutions required to close the modern mobile security trust gap. We analyze a case study involving a basic weather application to illustrate how common development mistakes—like exposing sensitive API keys and neglecting input validation—create catastrophic security vulnerabilities, potentially leading to data breaches, financial loss, and system compromise. The Problem: Client-Side Secrets and Architectural Flaws The proliferation of web applications consuming public APIs has vastly expanded the attack surface. Developers often treat the client environment as trusted, leading to critical architectural failures. We discuss how exposed API keys embedded in client-side JavaScript are considered "low-hanging fruit" for attackers. Key Takeaways from the Security Analysis: - Reconnaissance and Exploitation: Attackers can use tools like curl and grep with regular expressions to scan target URLs for hardcoded API key patterns. Once obtained, keys can be used for unauthorized calls, potentially exceeding quotas and incurring costs. - Interception: Tools like Burp Suite enable attackers to intercept and modify API traffic, revealing the exact structure of API calls, including the API key and parameters. - Injection Attacks: Poor input sanitization on server-side search functionalities is a primary attack vector. We examine verified command snippets used to test for command injection (e.g., appending cat /etc/passwd) and NoSQL Injection (e.g., using MongoDB operator syntax). - Lateral Movement: An exposed API key is often just the beginning. If the key has excessive permissions, it can allow an attacker to enumerate IAM policies, check for sensitive S3 buckets, and even create persistent administrative users, leading to a full cloud account takeover. Defensive Fundamentals for Developers: To combat these threats, security must be shifted left—integrated into the earliest stages of development. We review critical defensive measures: - Environment Variable Security: API keys must never be exposed to the client; they should reside in secure server-side environment variables. The client should request data from your secure server endpoint, which then internally fetches the data from the third-party API using the hidden key. - Rate Limiting: To protect backend APIs from abuse and "Denial-of-Wage" attacks (attacks that incur cost), rate limiting middleware (like express-rate-limit) is essential. This blocks automated scripts by limiting each IP to a set number of requests within a time window. - Cloud Hardening: Security extends to infrastructure. Developers must audit cloud resources, checking S3 bucket policies for leaks and ensuring EC2 security groups only allow necessary web traffic (ports 80 and 443). Closing the Mobile API Security Trust Gap with Positive Authentication While these fundamentals are crucial, mobile app security introduces unique challenges, creating a concerning "trust gap". Traditional security measures like TLS, mutual TLS, embedded API keys, and signature-based approaches are often insufficient, as they are vulnerable to reverse engineering, MitM attacks, and spoofing. We discuss Approov, a solution designed for the mobile world that uses a positive trust model to authenticate the app instance itself, rather than just the user or the connection. - App Attestation: https://approov.io/ uses a challenge-response cryptographic protocol to dynamically measure the integrity of the runtime app image. - Tokens (JWT): Only genuine, untampered apps are granted a short-lived JSON Web Token (JWT). Requests without a valid token are immediately rejected by the backend API. - Protection against Reverse Engineering: Because the system does not rely on static secrets embedded in the app, traditional reverse engineering techniques are ineffective. Approov also provides a runtime secrets protection capability, allowing developers to remove third-party API keys from the app package entirely, substituting them only just in time for the API call after the app has passed attestation. - Benefits: This positive authentication model blocks sophisticated bots, automated scraping systems, and repackaged apps, ensuring that only registered, authentic versions of your application can access your valuable digital assets. Links & Resources Source Material Reference: - Excerpts from "https://undercodetesting.com/the-unseen-storm-how-a-simple-weather-app-exposes-critical-api-security-flaws/" - Excerpts from "https://approov.io/addressing-the-security-trust-gap-in-a-mobile-world" Sponsor: - Learn how Approov protects your revenue and business data by deploying Mobile Security: https://www.approov.io/ Keywords API security, mobile security, API key protection, reverse engineering, input validation, client-side vulnerabilities, app attestation, JWT, zero-trust architectures, rate limiting, cloud security, Denial-of-Wage, Man-in-the-Middle (MitM), Burp Suite, Approov. 

You Use Them Every Day, But What Exactly *Is* an API? Let's try a little experiment. Pull out your phone. Open your favorite weather app. What's the temperature outside? Now,…

Users of PowerShell may have encountered or make use of the SecretManagement and SecretStore modules to securely handle their passwords, API keys, and other sensitive secrets both for daily use as wel...

  A recent cyber incident has brought to light how one weak link in software integrations can expose sensitive business information. Salesloft, a sales automation platform, confirmed that attackers exploited its Drift chat integration with Salesforce to steal tokens that granted access to customer environments. Between August 8 and August 18, 2025, threat actors obtained OAuth and refresh tokens connected to the Drift–Salesforce integration. These tokens work like digital keys, allowing connected apps to access Salesforce data without repeatedly asking for passwords. Once stolen, the tokens were used to log into Salesforce accounts and extract confidential data. According to Salesloft, the attackers specifically searched for credentials such as Amazon Web Services (AWS) keys, Snowflake access tokens, and internal passwords. The company said the breach only impacted customers who used the Drift–Salesforce connection, while other integrations were unaffected. As a precaution, all tokens for this integration were revoked, forcing customers to reauthenticate before continuing use. Google’s Threat Intelligence team, which is monitoring the attackers under the name UNC6395, reported that the group issued queries inside Salesforce to collect sensitive details hidden in support cases. These included login credentials, API keys, and cloud access tokens. Investigators noted that while the attackers tried to cover their tracks by deleting query jobs, the activity still appears in Salesforce logs. To disguise their operations, the hackers used anonymizing tools like Tor and commercial hosting services. Google also identified user-agent strings and IP addresses linked to the attack, which organizations can use to check their logs for signs of compromise. Security experts are urging affected administrators to rotate credentials immediately, review Salesforce logs for unusual queries, and search for leaked secrets by scanning for terms such as “AKIA” (used in AWS keys), “Snowflake,” “password,” or “secret.” They also recommend tightening access controls on third-party apps, limiting token permissions, and shortening session times to reduce future risk. While some extortion groups have publicly claimed responsibility for the attack, Google stated there is no clear evidence tying them to this breach. The investigation is still ongoing, and attribution remains uncertain. This incident underlines the broader risks of SaaS integrations. Connected apps are often given high levels of access to critical business platforms. If those credentials are compromised, attackers can bypass normal login protections and move deeper into company systems. As businesses continue relying on cloud applications, stronger governance of integrations and closer monitoring of token use are becoming essential.

🔑 Amazon Bedrock API Keys: Autenticación Simplificada para Desarrolladores ¿Qué...

Amazon Bedrock now offers two types of API Keys to simplify programmatic authentication, each...

North Korean Crypto Heists: Mobile and API Threats In this episode of Upwardly Mobile, we delve into the alarming tactics employed by North Korean state-sponsored hackers to siphon billions from the cryptocurrency world. Moving beyond targeting just large exchanges, these sophisticated actors, most notably the infamous Lazarus Group, are increasingly focusing on vulnerabilities in mobile devices and Application Programming Interfaces (APIs), the digital connectors powering our apps. We discuss how your phone, the device you carry everywhere, has become a prime target. Hackers are using sophisticated social engineering and phishing campaigns delivered via messaging apps and social media to trick users into compromising their devices. They develop or infect malicious cryptocurrency apps and fake wallets to steal private keys and transaction data. Furthermore, exploiting vulnerabilities in mobile operating systems and apps, or deploying Remote Access Trojans (RATs) through various mobile vectors, allows them persistent access to steal credentials and control crypto accounts. Reports indicate attackers have even leveraged remote collaboration tools to gain control.APIs, the unseen connectors that enable apps to communicate, are also major targets. North Korean hackers actively seek to steal API keys from developers and employees within crypto firms through phishing and malware. Campaigns like "Operation 99" specifically target developers for sensitive data, including API keys. Exploiting flaws in the design or implementation of exchange and wallet APIs allows them to bypass security or manipulate data. They also utilise supply chain attacks, compromising third-party vendors with API access to gain a foothold and exploit trusted connections. Attacks like the ByBit hack reportedly involved exploiting supplier vulnerabilities and altering wallet addresses, potentially involving API manipulations.These tactics have been linked to high-profile heists against major exchanges like KuCoin and WazirX, and DeFi protocols such as the Ronin Bridge. Stolen funds are then put through complex, multi-stage laundering processes involving mixers, DEXs, and cross-chain bridges to obscure their origin. We also cover essential defence strategies for both individuals and organisations in the crypto space. For individuals, this includes being hyper-vigilant against unsolicited messages, securing your mobile device with updates and trusted app sources, using hardware wallets for significant holdings, implementing strong, unique passwords and 2FA, and diligently verifying wallet addresses. For organisations, robust API security, regular security audits, employee training, supply chain risk management, and advanced threat detection are crucial.This battle is an ongoing arms race, but understanding these evolving threats is the first step to bolstering your defences. Sponsor: This episode is brought to you by Approov, a leader in API and mobile app security. Learn more about protecting your APIs and mobile applications from sophisticated threats by visiting approov.io. Keywords: North Korea, hackers, cryptocurrency, crypto, mobile security, API security, Lazarus Group, phishing, social engineering, malware, vulnerabilities, cybercrime, cyberattack, state-sponsored hacking, API key theft, supply chain attack, cold storage, hardware wallet, 2FA, MFA, security audit, threat detection, Ronin Bridge, KuCoin, WazirX, ByBit, Operation 99, fast flux, bulletproof hosting, OWASP API Security Top Ten, Approov.

  A recent report released on April 2 has uncovered a worrying rise in open-source malware aimed at developers. These attacks, described as “smash and grab” operations, are designed to swiftly exfiltrate sensitive data from development environments. Brian Fox, co-founder and CTO of Sonatype, explained that developers are increasingly falling victim to deceptive software packages. Once installed, these packages execute malicious code to harvest confidential data such as API keys, session cookies, and database credentials—then transmit it externally. “It’s over in a flash,” Fox said. “Many of the times, people don’t recognize that this was even an attack.” Sonatype, a leader in software supply-chain security, revealed that 56% of malware identified in Q1 2025 focused on data exfiltration. These programs are tailored to extract sensitive information from compromised systems. This marks a sharp increase from Q4 2024, when only 26% of open-source threats had such capabilities. The company defines open-source malware as “malicious code intentionally crafted to target developers in order to infiltrate and exploit software supply chains.” Fox emphasized that these attacks often begin with spear phishing tactics—posing as legitimate software packages on public repositories. Minor changes, such as replacing hyphens with underscores in filenames, can mislead even seasoned developers. “The attackers fake the number of downloads. They fake the stars so it can look as legit as the original one, because there’s not enough awareness. [Developers] are not yet trained to be skeptical,” Fox told us. These stolen data fragments—while small—can have massive consequences. API keys, hashed passwords, and cookie caches serve as backdoors for broader attacks. “They’re breaking into the janitor’s closet, not to put in a bomb, but to grab his keychain, and then they’re going to come back at night with the keychain,” Fox said. The 2025 report highlights early examples: Compromised JavaScript packages on npm were found to steal environment variables, which typically contain API tokens, SSH credentials, and other sensitive information. A fake npm extension embedded spyware that enabled complete remote access. Malicious packages targeted cryptocurrency developers, deploying Windows trojans capable of keylogging and data exfiltration. These packages had over 1,900 downloads collectively. A separate report published by Sonatype in November 2024 reported a 156% year-over-year surge in open-source malware. Since October 2023, over 512,847 malicious packages have been identified—including but not limited to data-exfiltrating malware.

  The cybersecurity expert Troy Hunt, who founded the data breach notification platform Have I Been Pwned, recently revealed that he had been the victim of a phishing attack that was intended to compromise his subscriber list for the attacker to gain access to his data. Hunt explained the circumstances surrounding this incident in a detailed blog post, and provided screenshots of the deceptive email which enabled the attack to succeed. In the fraudulent message, the author impersonated Mailchimp, a legitimate email marketing company, and embedded a hyperlink that was directed to a nearly identical, but fraudulent domain, which was a common phishing attack. It was very difficult to distinguish at a glance between the spoofed and authentic domains, which is why MailChimp-sso.com (now deactivated) is so closely similar. In Hunt's case, he acknowledged that he was severely fatigued at the time of the attack, which made it harder for him to act correctly. He also mentioned that he was experiencing jet lag at the time of the attack.  In response to the email, he accidentally entered his credentials along with the one-time password, which was used for authentication. However, the fraudulent webpage did not proceed to the expected interface as he expected, signalling that the attack had been carried out. As a result of this incident, phishing scams represent a very prevalent risk, which underscores the importance of maintaining constant vigilance, even among cybersecurity professionals. As soon as Troy Hunt discovered that he had been victimized by a phishing scam, he reset his password and reviewed his account activity immediately. However, since the phishing attack was highly automated, his credentials were already exfiltrated by the time he could respond. Although Hunt has extensive cybersecurity experience, this particular phishing attempt proved to be extremely successful.  Hunt attributes the success to both his exhaustion after a long flight, as well as the sophistication of the email that was intended to fool others. According to him, the phish was "well-crafted" and was subtly manipulating psychological triggers. In the email, rather than utilizing overt threats or excessive urgency, it was suggested that he would not be able to send newsletters unless he took action. It was thus possible to send the email with just the right amount of apprehension to prompt action without creating suspicions.  As a result, Hunt, the founder of the Have I Been Pwned platform, a platform that alerts people to compromised credentials, has taken steps to ensure that the information exposed in this incident will be incorporated into his platform in the future, which he hopes will lead to improved performance. A direct notification will be sent to individuals who have been affected by the breach, including both current subscribers and those who have already unsubscribed but are still impacted by the breach.  Troy Hunt, a cybersecurity expert who runs a blog dedicated to cyber security and privacy, was targeted on March 25, 2018, by a phishing attack that compromised subscriber data from his blog. The attack originates from an email that impersonates Mailchimp, the platform he uses for sending out blog updates via email. According to the fraudulent message, his account had been suspended temporarily because of a spam complaint and he was required to login in order to resolve it. The fake email made it look authentic by threatening disruption of service and creating a sense of urgency. Hunt was unable to distinguish this attack despite his extensive experience in identifying similar scams, as he was fatigued and jet lag affected his judgment in the process. In his attempt to log in with the email's link, he noticed an anomaly-his password manager did not automatically fill in his credentials. As a result, this could indicate that the website is fraudulent, but this is not a definitive indication, since legitimate services sometimes require a login from a different domain in some cases.  As a result of the attack, approximately 16,000 email records were successfully exfiltrated, including those of active and unsubscribed readers alike. It is the result of Mailchimp's policy of retaining unsubscribed user information, a practice that is now being reviewed. There were emails, subscription statuses, IP addresses, location metadata and email addresses included in the compromised data, though the geolocation data did not pinpoint subscriber locations specifically.  When the breach was discovered, immediate steps were taken to prevent further damage from occurring. It was determined that the attacker's API key would be revoked by Mailchimp, and the phishing website would be taken offline once the password was reset. Founder of Have I Been Pwned, a platform that tracks data breaches, Hunt has now added this incident to its database, making sure that affected users have been made aware of the incident.  As phishing has become increasingly sophisticated over the years, it has moved beyond stereotypical poorly worded emails and implausible requests, moving into new levels of complexity. Cybercriminals today employ extremely sophisticated tactics that take advantage of human psychology, making it more and more difficult for consumers to distinguish between legitimate and fraudulent communications. The recent incident highlights the growing risks associated with targeted phishing attacks, as well as the importance of cybersecurity awareness and defense.  Key Insights and Takeaways: Psychological Manipulation and the Subtle Use of Urgency  The majority of phishing emails are crafted to create a feeling of immediate panic, such as threats of account suspension or urgent payment requests, causing immediate panic within the target. However, modern attackers have honed their strategies, utilizing subtle psychological strategies to weaken the defences of their targets. As a matter of fact, in this case, the fraudulent email implied a very minor yet urgent issue: that the newsletter could not be sent. To manipulate the recipient into taking action, the email created just enough concern without raising suspicions, which led the recipient to respond to the email effectively. It is therefore imperative to recognize psychological manipulation in social engineering attacks, even for small requests that are relatively urgent, especially when it comes to logging into an account or updating one's credentials, to be viewed with suspicion.  Password Manager Behavior as a Security Indicator  In this attack, several red flags were pointing at Hunt's password manager's behaviour. Password managers are designed to recognize and auto-fill credentials only when they are used on legitimate websites. It should have been a warning sign in this case that the credentials of the user failed to automatically populate on the website, which could have indicated the website was fraudulent. By paying close attention to their password manager behaviour, users will be able to become more aware of security risks associated with their password manager. The site may be a spoofed one if the credentials are not automatically filled. Instead of entering the login details manually, users should double-check the source of the website and confirm it is authentic before proceeding with the transaction.  The Limitations of One-Time Passwords (OTPs) in Phishing Attacks  The multi-factor authentication (MFA) technique is widely considered to be one of the best security measures available, but it is not immune to phishing attacks. In this case, the attackers also requested Hunt to provide a password along with an OTP after he provided his username and password. Once he provided the password, the attackers gained access to his legitimate account immediately.  A major weakness of OTP-based authentication is the inability to protect against real-time phishing attacks, where credentials are stolen and used instantly. The risk can be mitigated by requiring users to enter OTPs when they see sites that look suspicious or differ slightly from their usual login flow. Users are advised to be cautious when they are asked to enter OTP. Passkeys as a Stronger, Phishing-Resistant Alternative There is no better way to authenticate a user than using passkeys, which are cryptographic credentials linked to the device of a user instead of traditional passwords. Passkeys are based on biometric authentication, for example, fingerprints, facial recognition, or even on-device authentication mechanisms.  As passkeys are not associated with manually entering credentials, they have a much higher resistance to phishing attacks than traditional passwords. Passkeys work on the trust-based model, unlike passwords and OTPs, where they require physical access to the device registered for authentication. In contrast to traditional login methods, passkeys are a powerful alternative that can be used in place of traditional login methods and can serve as a valuable defence against phishing attempts as well.  The Importance of Continuous Security Awareness  Despite their expertise, even cybersecurity experts can be susceptible to sophisticated attacks, highlighting the importance of maintaining constant vigilance. The best way to enhance your security is to verify URLs carefully – Keep an eye out for slight misspellings or variations in URLs, as attackers are often able to create a lookalike URL by using security keys or passkeys. By using hardware-based authentication, such as YubiKeys, or passkeys, you can be assured that your information will be secure. If anyone receives a suspicious email asking for login credentials, security updates, or sensitive actions, be cautious and verify the message separately.  Using Advanced Threat Protection – Organizations should take advantage of tools powered by artificial intelligence that are capable of detecting phishing attempts and blocking them in real-time. Educating Employees and Individuals – By attending regular cybersecurity training, you can become aware of the ever-evolving tactics used by phishing websites, minimizing the chances of human error.  Although it is not possible to ensure complete protection against phishing attacks with just one security measure, adopting a multi-layered approach, a combination of awareness, technological safeguards, and behavioural vigilance, can greatly reduce your chances of becoming a victim of the attack. Despite being an experienced cybersecurity professional, even the most experienced individuals are not immune to social engineering techniques as demonstrated by the Troy Hunt incident.  There was a significant contribution of fatigue and reduced attentiveness in this case, leading to a misjudgment that was essentially avoidable. It is known that social engineering can be extremely effective when it is employed in the right circumstances to reach the right people at the right time, resulting in a misjudgment that could have been avoided if it had been implemented correctly. The incident illustrates the way cybercriminals are using human weaknesses to achieve their objectives by exploiting human vulnerabilities.  According to Aditi Gupta, a principal security consultant at Black Duck, attackers use a variety of tactics to manipulate unsuspecting victims, such as fear, urgency, and fatigue, to fool inexperienced people, reinforcing the theory that no one can escape sophisticated phishing schemes altogether. However, Hunt has been praised for being transparent in sharing his experience, which has served as a powerful tool for educating others about the risks associated with cybersecurity, despite the setbacks he has experienced.  Despite admitting that he had made mistakes, he also expressed concern about Mailchimp’s security practices, especially the fact that the company did not offer two-factor authentication that is phishing resistant and kept intact for years to come. Cyber threats are not only mitigated through continuous vigilance, robust authentication mechanisms, and organizational responsibility, but also through continuous vigilance, robust authentication mechanisms, and organizational responsibility.  The threat of social engineering attacks continues to increase and to remain protected from these attacks, it is imperative to strengthen security protocols, eliminate conventional authentication methods, and maintain cybersecurity awareness throughout the organization.

  Cybersecurity researchers have uncovered alarming vulnerabilities in thousands of iOS applications, revealing that hardcoded secrets in their code have put users' sensitive information at risk. A recent analysis by Cybernews examined over 156,000 iOS apps and detected more than 815,000 hardcoded secrets—some of which are highly sensitive and could potentially lead to security breaches or data leaks. The term "secret" broadly refers to sensitive credentials like API keys, passwords, and encryption keys. These are often embedded directly into an app’s source code for convenience during development, but developers sometimes fail to remove them before release. According to Cybernews, the average iOS app exposes 5.2 secrets, and 71% of apps contain at least one leaked credential. While some of these hardcoded secrets pose minimal risk, the report highlights serious threats. Researchers identified over 83,000 cloud storage endpoints, with 836 exposed without authentication, potentially leaking more than 400TB of data. Additionally, 51,000 Firebase endpoints were discovered, thousands of which were accessible to outsiders. Other exposed credentials include API keys for platforms like Fabric API, Live Branch, and MobApp Creator. Among the most critical findings were 19 hardcoded Stripe secret keys, which directly control financial transactions. Cybernews researchers emphasized the severity of this issue, stating: “Stripe is widely used by e-commerce and even fintech companies to handle online payments.” This vulnerability could allow cybercriminals to manipulate transactions or gain unauthorized access to payment infrastructure. The findings challenge the common belief that iOS apps offer stronger security compared to other platforms. “Many people believe that iOS apps are more secure and less likely to contain malware. However, our research shows that many apps in the ecosystem contain easily accessible hardcoded credentials. We followed the trail and found open databases with personal data and accessible infrastructure,” said Aras Nazarovas, a security researcher at Cybernews. This study underscores the importance of secure coding practices and urges developers to adopt better security protocols to prevent data breaches and unauthorized access.

Beyond investor and CEO panic, DeepSeek presents a host of security concerns. Here's what the experts think you should know.

Oh someone's in DeepShi...

Learn how to secure Kubernetes services with API key authentication using NGINX Ingress. This step-by-step guide covers setting up external authentication with a Scala http4s service, forwarding custom identity headers, and testing with tools like httpie and curl. Perfect for enhancing security while keeping your configuration flexible and maintainable.

Learn how to secure Kubernetes services with API key authentication using NGINX Ingress. This step-by-step guide covers setting up external authentication with a Scala http4s service, forwarding custom identity headers, and testing with tools like httpie and curl. Perfect for enhancing security while keeping your configuration flexible and maintainable.