Securing Public APIs Without Breaking Them: Lessons from the Dotpe Case

Updated – 23/09/2024

APIs have become the backbone of modern digital infrastructure. They enable businesses to interact with their customers in real-time, automate workflows, and scale operations. However, their immense benefits come with significant risks—especially when left unsecured. The case of Dotpe, as revealed in a recent deep dive into their API vulnerabilities, serves as a cautionary tale for companies offering public APIs.

The Dotpe Case Study

No business with a public API wants to wake up to see its vulnerabilities exposed and trending at the top of Hacker News—yet that’s precisely what Dotpe faced after these flaws came to light. The reputational damage can be immense and long-lasting, with thousands of developers and security professionals scrutinizing the issue.

Dotpe provides a widely used QR code menu service for restaurants across India, powering the digital experience for customers by offering contactless ordering. However, their API design and implementation expose glaring security flaws. A curious customer could access sensitive restaurant data, such as ongoing orders, purchase history, and even personal details of other patrons. They could see restaurant revenue figures by tweaking basic API parameters and placing fraudulent orders​.

While this situation is shocking, it is unfortunately common. APIs that are not adequately secured expose data that should remain confidential and create a huge potential for misuse.

Critical Failures in API Security

1. Lack of Authentication: Dotpe left many API endpoints unauthenticated, allowing anyone to access sensitive data. Strong authentication is essential for every API.
   
2. Improper Use of Parameters: Simple changes to table IDs and phone numbers let unauthorized users access data. APIs need to validate and sanitize all inputs.
   
3. Rate Limiting: Dotpe’s API had no rate limiting, allowing users to quickly scrape data from thousands of restaurants. Rate limiting is essential to prevent abuse, especially for public APIs.
   
4. Monitoring and Alerts: If Dotpe had been monitoring its API traffic for unusual activity, it could have detected and resolved the issue earlier. Proper monitoring is crucial to track unusual usage patterns.

Tactical Fixes for Securing Public APIs

If your API is already exposed to potential misuse, how can you quickly add security without making breaking changes to the API? Several methods exist to strengthen your API’s defences without altering the public-facing interface.

1. Implement Strong Authentication and Authorization
   Ensure every endpoint requires user authentication. This can include API keys, OAuth tokens, or session-based tokens. Multi-factor authentication (MFA) should be considered for sensitive data.
   
2. Input Validation and Sanitization
   Validate all incoming data to ensure it fits the expected parameters. Ensure that only authorized users can perform actions and access data.
   
3. Rate Limiting and Throttling
   Rate limiting can prevent API abuse. Set limits on how much data users can request within a certain time frame to avoid scraping or overloading the system.
   
4. Geo-Based Whitelisting
   Geo-fencing can reduce exposure if your API primarily serves users from a specific location. Restricting API access to specific cities or countries can help block foreign attacks. However, ensure this doesn’t block legitimate users using VPNs or mobile networks with different locations. Consider fallback mechanisms, like additional authentication for out-of-region access.
   
5. Comprehensive Logging and Monitoring
   Implement logging for all API interactions. Monitor in real-time to detect suspicious behaviour, such as mass data extraction or failed login attempts.
   
6. Security by Design
   Security shouldn’t be an afterthought. Ensure security is part of the development process, even if you need to update your API after launch. Building security into the core of the API is cheaper and more effective than patching it later.

Introducing TheAuthAPI

For businesses struggling with securing their public APIs, solutions like TheAuthAPI can provide an immediate path forward. TheAuthAPI offers an integrated suite of tools that help businesses secure, track, and even monetize their APIs. Here’s how:

• Secure: TheAuthAPI provides powerful authentication mechanisms that help ensure only authorized users can access your APIs, shielding sensitive customer and business data from prying eyes.
  
• Track: Real-time monitoring and alerting ensure that every API interaction is logged and analyzed for suspicious behaviour, allowing companies to act quickly before data is compromised.
  
• Monetize: The platform also offers tools to monetize your API, ensuring that every customer interaction enhances security and contributes to revenue growth.

Conclusion

The Dotpe case underscores the need to secure APIs from day one. No business with a public API wants to see its flaws on Hacker News. While public APIs are essential for scaling businesses, they must be protected from potential misuse. By applying tactical fixes and investing in solutions like TheAuthAPI, businesses can secure their APIs without breaking them and ensure they are safe and profitable.

1. PeaBee’s original article was taken down on 23/09/2024 due to concerns about breaking hacking laws in India and the US. ↩︎