WTF are Shadow & Zombie APIs?
17 April 2023
As more companies adopt microservice architectures, APIs (application programming interfaces) have become crucial for communication between services. However, this increased usage also presents security risks, particularly in the form of Shadow and Zombie APIs. If you’re wondering what these are and why they matter, we will discuss these two API types, their potential threats, and why it’s important for organizations to be aware of them.
by Refael Lachmish
What are Shadow and Zombie APIs?
First, let’s define these spooky terms.
Shadow APIs are APIs that exist within an organization’s systems but are not visible to its developers or documented in its official API specifications. They might be created accidentally (due to system updates, for example), or intentionally, by rogue developers.
Zombie APIs are APIs that were once active but have since been deprecated or forgotten. They can still be accessed and exploited by attackers, posing significant security risks if left unmanaged.
Real world examples of Shadow and Zombie API exploits
To emphasize the importance of addressing these hidden APIs, let’s dive into some real world examples where Shadow and Zombie APIs were exploited in public API attacks, leading to unauthorized access to sensitive data and resources.
In 2018, Facebook faced a well-publicized scandal involving Cambridge Analytica, a political consulting firm that exploited a Shadow API to harvest the personal information of millions of Facebook users. The attackers leveraged this Shadow API to bypass security measures and collect user data without their consent, causing significant damage to Facebook’s reputation and raising questions about its commitment to user privacy. The lawsuit resulted in a breach settlement of $725 million by Facebook parent company.
In 2019, Capital One, a well-known financial institution, experienced a data breach where a Zombie API was exploited to gain access to sensitive customer information. The attacker managed to bypass security measures and access credit card applications, affecting more than 100 million customers in USA and Canada. A Circa of 140,000 social security numbers were accessed by the hackers, as well as 80,000 bank account numbers. In December 2021, Capital One was sued for breach, but decided to settle the lawsuit for $190 million.
Uncovering Shadow and Zombie APIs with the Wib Fusion Platform for API security
To effectively address Shadow and Zombie API risks, organizations need a comprehensive solution that covers visibility, detection, and continuous monitoring. The Wib API security platform (Fusion) offers a structured approach:
API visibility and inventory:
The platform provides a complete view of an organization’s APIs and generates a real-time, accurate inventory using data from multiple sources. The Fusion Platform unifies this data into a single source of truth for an automatically updated API inventory.
Detection of Shadow and Zombie APIs:
Wib API Crawler scans web applications externally to detect Shadow APIs, which are not found in source code or gateways. For Zombie APIs, the platform utilizes code analysis to identify deprecated endpoints and testing engines to determine if they are still accessible and exploitable.
Continuous monitoring:
The Wib Fusion Platform continuously monitors API usage, ensuring up-to-date visibility and immediate detection of newly discovered or modified APIs.
By addressing technical challenges, reducing false positives, and maintaining continuous monitoring, the Platform enables organizations to protect against API-based attacks, prevent data leaks, and uphold user privacy.
How to address Shadow and Zombie API threats
In conclusion, Shadow and Zombie APIs are lurking threats that can expose your organization to security breaches and data leaks. By understanding their potential impact and employing solutions like the Wib Fusion Platform for API security, you can better protect your organization from API-based attacks and safeguard sensitive data. So, the next time someone asks you, “WTF are Shadow APIs?”, you’ll have the knowledge to explain the risks and the tools to tackle them head-on.
