38 μΙηΌ³΅@]ΪΦ~ (ε) 2023/09/05 01:35:34
API Abuse – Lessons from the Duolingo Data Scraping Attack
https://securityboulevard.com/2023/08/api-abuse-lessons-from-the-duolingo-data-scraping-attack/
Itfs been reported that 2.6 million user records sourced from the Duolingo app are for sale. The attacker apparently obtained them from an open API provided by the company. Therefs a more technical explanation available here.
While we talk a lot about the vulnerabilities in the OWASP API Top-10 and the exploits associated with those vulnerabilities, this incident provides a good reminder that not all vulnerabilities are flaws in code. In fact, this API was working as designed. The OWASP API Top 10 accounts for these kinds of attacks as API6:2023 Unrestricted Access to Business Flows.