Why Are APIs A Popular Target For Hackers?


Application Programming Interfaces (APIs) have become a popular target for malicious actors in cyberspace. There are many reasons for this, including their great utility in application integration. It is possible to mitigate API risk, however.

First, what is an API?

To discuss why APIs are a popular target for hackers, it’s worth first taking a brief moment to define what is currently meant by the term “API.” The concept of the API is not at all new. In fact, interfaces to connect various computer systems with one another, as well their internal components, have been around since at least the early 1960s.

Today, however, when people talk about APIs, they invariably mean standards-based APIs. These are APIs built using open standards like Representational State Transfer (REST) and open standard file formats like JavaScript Object Notation (JSON). Such “RESTful APIs,” as they are known, can be created without the need for proprietary software. The resulting APIs are able to send and receive data and procedure calls between software applications. For example, a mobile banking app uses an API to access the bank’s systems.

The utility and vulnerability of APIs

The advent of standards-based APIs represented a major leap forward in application integration. Over the last 20 years or so, APIs went from being costly and complicated proprietary software products to free, standards-based tools that were comparatively easy to work with—and quick to deploy.

With the new APIs working over the Internet, it became possible to connect any software or data source, anywhere in the world, regardless of platform, data schema or programming language. As a result, the computing world is now in the midst of an API revolution. There’s been an explosion of connectivity between applications and data. That’s great, until it isn’t.

The very openness and utility of APIs makes them incredibly rich targets for attackers. In the same way that a mobile app can be programmed to reach out and GET data from a corporate system using an API, so too can a piece of malware. Hackers have written a wide variety of software tools to abuse APIs. It’s an effective attack technique.

Indeed, there have been some major data breaches resulting from hacker-written software that called on an API to extract data from a database. After all, if it stealing data simply requires a basic GET call on an API, written using REST and JSON, then it’s easy to quickly strip a database clean. In fact, when people talk about “screen scraping” attacks, what they really mean, mostly, are rapid-fire API calls that pull data out of databases. APIs have become a major attack surface for organizations that build them.

Mitigating API risk with hCaptcha's Enterprise Product

Stopping API attacks is a popular use case for hCaptcha Enterprise, hCaptcha's enterprise suite of products. Unlike the free version of hCaptcha, hCaptcha Enterprise uses advanced machine learning to identify malicious traffic to your site and apps - including scraping activities. Contact us today to learn more.