Staying secure in an era where mobile apps and APIs are most vulnerable. It is very hard, if not impossible, to secure something you don’t know exists. While security professionals spend countless hours on complex yet interesting issues that may be exploitable in the future, basic attacks are occurring every day with little to no reviews. For example, a “dated trend” by effective yet lazy hackers is to search for APIs unknown by security teams, coined “Shadow APIs”, connect to these APIs, and extract data.
While SQL Injection used to be the hack of choice, as a few simple SQL commands would either mean “pay dirt” or “move on to the next target”, the same can be said for Shadow API, Find, Connect, Extract.
This talk will discuss one of many methods that are used in the wild to target Shadow APIs and export large volumes of data with a few clicks of a button - or lines of Python code. Attendees will learn about a very basic yet non-so-obvious problem in securing data, and how hackers are
using creative methods to steal large volumes of data.
Presenter: Igor Matlin, Data Theorem, Solution Architect
(Contrast Room, Day 1, Session 3)