In 2018, Facebook experienced a critical breach that was unpatched for over 20 months that resulted in the theft of 30 million authentication tokens and a similar amount of personally identifiable information. Facebook has since pledged to improve its security, but the theft of access token still represents a major API security risk. The incident highlights how API risks can remain undetected for so long and impact so many users over a year later.
APIs are a powerful communication tool, making them vulnerable to attack due to their parameter flexibility and frequency, existing in everything from single page web applications to mobile apps, to industrial IoT systems. Recently, OWASP introduced a report that identifies the top risks to API security to help users make sense of the risk surface. The three most common include unknown or outdated API specifications, uninspected APIs, and uncontrolled third party APIs.
Read More: Three API security risks in the wake of the Facebook breach