Summary: A malicious attack aimed at Google but routed through Plaxo highlights the growing importance of API security using the forthcoming OAuth 2.0 protocol, which protects the users credential information.

Address book service Plaxo is moving to shore up its API security after being sucked in as a back-door, silent victim in an attack on Google.

Last week, a spammer armed with stolen credentials for a number of Google accounts routed their attack through Plaxos servers by taking advantage of connections the two maintain and an aging Plaxo authentication mechanism called Address Book (AB) Widget, which enables Plaxo users to import Gmail contacts.

Copyright: Brian Campbell

Given the avenue of the attack, it was hard for Google to detect the malicious traffic being proxied through Plaxos IP address.

The two worked together to dissect the hack and Plaxo has since retired its AB Widget and will update its Plaxo-Google Sync in a few weeks to support OAuth 2.0 and take advantage of its secure authentication capabilities.

The moral of the story is that security should be of paramount concern for APIs as they become a preferred point of integration within the concepts of cloud computing.

To wit, over the past two years, companies such as Twitter, Facebook, Google, Netflix, eBay and NPR have each been processing billions of API calls per day.

OAuth 2.0 is a forthcoming Internet Engineering Task Force specification that uses tokens for authenticating API end-points, which eliminates the need to share credential information among providers.

End-users wont know the technology they are using is OAuth, said Preston Smalley, general manager and head of product for Plaxo. But over time users are becoming more and more sensitive to sharing their user names and passwords with anyone other than their account provider.

View original post here:
Anatomy of hack on Google leads Plaxo to up API security