In Issue 275 of our #APIsecurity newsletter the theme is: how secure is your API security? Included are two recent attacks on major financial platforms, a new industry survey, and technical deep-dives into JWT flaws and host header injection attacks.

The rise of Business Logic Attacks on APIs.

Researchers hack Internal API using IDOR / BOLA attack to gain McDonald's job application data.

Why APIs are vital for AI success. #API #AI #APIsecurity.

Even Stalkerware app has API security issues.

Hard coded API key and no access rules opens up Food Delivery App.

Oversight in the API design led to the VPN connection shared key retrieval being implemented as a GET request, bypassing intended security controls.

".measures must get beyond MFA, and incorporate a comprehensive zero-trust approach to API security.".

Cisco release patches linked with APIs that allow insufficient input validation and malicious file uploads.

Hard coded API key and no access rules opens up backend of food delivery app.

Malicious popup on blockchain security service provider linked with backend API vulnerability.

API authorization gone wrong. Real-world authorization failures, case studies with lessons for API security teams, missteps that led to a £2.3M fine for 23andMe, data exposure from the Asana MCP and a new resource on securing OAuth for cloud native APIs.

AI zero-day attacks and undocumented APIs are some of the major challenges facing security teams.

Beware of LLM hijacking and system prompt leakage.

An unsafe deserialization issue affecting Wazuh servers was accessible via API.

APIs are the backbone of an AI strategy.

In Issue 273, a case of humans spoofing AI, three real-world OWASP API Security attacks, insights on rising API attack trends and explore how GitHub’s MCP vulnerability may signal a new set of authorization challenges.

Splunk REST endpoint vulnerable to XSS attack.

Reducing development costs through early security practices.

Hacker Claims Massive TikTok Data Breach via API Exploit.