As we move through 2024, the Wallarm Research Team continues to monitor the evolving API vulnerability and threat landscape. Our latest Q2 ThreatStats™ Report reveals critical trends and developments that are reshaping the security environment. Continuing from our Q1 findings, the surge in AI API vulnerabilities is not only persisting but intensifying, with an alarming increase in both the volume and severity of exploits. This quarter, we provide a deep dive into the most significant AI API exploits and examine the top API threat types that have emerged.

Key Insights from Q2 2024

The Growing Threat of AI API Attacks

As we highlighted in last quarter’s API ThreatStats™ Report, the integration of AI into various applications has brought new risks, with API attacks on AI systems accelerating at an unprecedented rate. The Q2 report reveals a threefold increase in vulnerabilities within well-known AI systems, highlighting the urgent need for enhanced security measures in this space. The rapid growth of AI APIs in the digital ecosystem has exposed organizations to new, often overlooked, risks. This is a trend that we believe will continue.

Mergers & Acquisitions: A New Security Frontier

One of the most surprising findings this quarter is the significant security risks introduced during mergers and acquisitions (M&A). The report details how ongoing M&A processes have exposed multiple organizations to considerable threats. Notable incidents include breaches at platforms like TestRail (Atlassian), HelloSign (Dropbox), Duo (Cisco), and Authy (Twilio). These cases underscore the critical importance of thorough security assessments and stringent protocols during M&A transitions.

Persistent Challenges with JSON Web Token (JWT) Misuse

Despite the widespread adoption of JWT for securing API communications, improper implementation continues to pose serious security challenges. This quarter, we identified several key issues, including:

• A vulnerability in the Veeam Recovery Orchestrator, where a hard-coded JWT secret exposed a critical flaw, enabling attackers to forge tokens and gain unauthorized access.
• An authentication bypass vulnerability in Lua-Resty.
• A JWT bomb attack in Python-jose, exploiting the decode function to cause denial of service.

These findings illustrate the ongoing difficulties in properly implementing JWT, even as its use becomes more prevalent across industries.

Noteworthy Vulnerabilities and Breaches

The Q2, 2024 API ThreatStats™ Report also highlights several critical vulnerabilities in well-regarded platforms:

Grafana: Despite its strong security focus, Grafana was found to have multiple critical vulnerabilities this quarter, including issues that allowed outside organizations to delete snapshots using its key, a directory traversal flaw in .csv files, and several OAuth-related vulnerabilities, such as account takeovers and token leaks.

AI API Exploits: The AnythingLLM API was found to have vulnerabilities allowing arbitrary file deletion due to path traversal in the logo photo feature, and remote code execution via environmental variables. Additionally, ZenML had a directory traversal vulnerability that permitted unauthorized access to sensitive files.

These cases highlight that even platforms with a robust security posture aren’t immune to flaws, reinforcing the need for continuous monitoring and proactive security practices.

Actionable Steps to Enhance API Security

To help organizations strengthen their API security programs, the Q2 ThreatStats™ Report also provides actionable insights and recommendations. From assessing API risks to prioritizing fixes, these steps are designed to mitigate the risks posed by emerging threats and vulnerabilities.

Stay ahead of the curve by staying informed about the latest developments in the API threat landscape. As these trends continue to evolve, so too must our approaches to security, ensuring that our digital ecosystems remain resilient against ever-changing threats.

Please take a look at the report and let us know what you think.

Download the report here.