Safeguard
Application Security

API Security Misconfiguration

API misconfigurations exposed 37M T-Mobile and 9.8M Optus accounts without a single exploit. Here's why it keeps happening and how to stop it.

Bob
Application Security Engineer
6 min read

In January 2023, T-Mobile disclosed that an attacker had been pulling customer data through a single API for nearly seven weeks without ever needing a password. No exploit, no zero-day — just an endpoint that never required authentication, quietly returning names, billing addresses, phone numbers, and account details to anyone who asked. By the time T-Mobile shut off access, roughly 37 million current customer accounts had been exposed. That one endpoint is the entire story of API security misconfiguration: a control that should exist, doesn't, and nobody notices until an attacker finds it first. OWASP formally tracks this as API8:2023 Security Misconfiguration, but the label undersells how common and costly it is. Optus, Peloton, and the U.S. Postal Service all lost data the same way — not through sophisticated exploitation, but through APIs shipped with missing auth checks, permissive defaults, or verbose errors left on in production. Here's what causes these failures and how to catch them first.

What Is API Security Misconfiguration?

API security misconfiguration is when an API is deployed with insecure default settings, missing security controls, or excessive permissions that let unauthorized users or requests reach data and functionality they shouldn't. OWASP's API8:2023 category covers a wide surface: missing security headers, unnecessary HTTP methods enabled (PUT, DELETE, TRACE) on production endpoints, permissive CORS policies that let any origin call sensitive routes, verbose error responses that leak stack traces or internal hostnames, directory listing left enabled on API file storage, and outdated or unpatched components running behind the gateway. None of these require an attacker to break anything. The vulnerability is already open by default — someone just has to notice it. That's what makes misconfiguration different from injection or logic flaws: it's rarely a coding mistake, and almost always a deployment, environment, or infrastructure-as-code decision that nobody revisited after go-live.

Why Do API Misconfigurations Happen So Often?

API misconfigurations happen because APIs are shipped faster, by more teams, on more frameworks, than any manual review process can keep up with. A single product might expose REST, GraphQL, and gRPC endpoints across a dozen microservices, each built by a different team with its own defaults for CORS, authentication middleware, and error handling. Kubernetes ingress rules, API gateway policies, and cloud load balancer configs are frequently set once during initial deployment and never revisited as the service evolves — so an endpoint that was internal-only in staging quietly becomes internet-facing in production after a routing change. Shadow APIs compound the problem: endpoints spun up for a mobile app beta, a partner integration, or a debugging session that get forgotten but stay live. Security teams can't fix what they don't know exists, and most organizations discover a meaningful share of their own API inventory only after running traffic-based discovery, not from their own documentation.

What Are the Most Common Types of API Security Misconfiguration?

The most common types are missing authentication on sensitive endpoints, overly permissive access controls, and information disclosure through verbose responses. Specifically, security teams see the same handful of patterns repeatedly: endpoints that skip authentication entirely because they were assumed to be "internal," authorization checks that verify a user is logged in but never verify they're allowed to access the specific record requested, CORS configurations set to wildcard (*) origins that were never tightened after initial testing, default or sample credentials left active in non-production environments that get promoted to prod, and detailed error messages that return database schema, framework versions, or file paths — all useful reconnaissance for an attacker probing the same API. Missing or absent rate limiting is another recurring gap: an API with no throttling turns a single misconfigured authorization check into a mass data-scraping incident, which is exactly what happened at scale in several of the breaches below.

What Do Real-World API Misconfiguration Breaches Look Like?

Real-world API misconfiguration breaches follow a consistent pattern: an internet-facing endpoint with a missing or broken access control gets discovered and scraped at scale before anyone notices. The USPS "Informed Visibility" API, reported by KrebsOnSecurity in November 2018, let any authenticated user view — and in some cases modify — account details belonging to any of the roughly 60 million other registered users, because the API validated that a request came from a logged-in user but never checked whether that user was authorized to see the specific account being requested. Peloton had a similar authorization gap: in May 2021, researchers reported that Peloton's API let any user pull another member's private profile data — age, weight, gender, location — even when the profile was set to private, because the privacy flag was never enforced at the API layer. Optus suffered a larger-scale version in September 2022, when an internet-facing API that required no authentication at all exposed identity document numbers, dates of birth, and addresses for up to 9.8 million customers. And T-Mobile's January 2023 incident, described above, showed the same root cause at telecom scale: one API, no authentication requirement, 37 million exposed accounts, and a nearly seven-week window before detection. In every case, the flaw wasn't a novel technique — it was a control that configuration should have enforced from day one.

How Can Security Teams Detect and Prevent API Misconfiguration at Scale?

Security teams detect and prevent API misconfiguration by treating API inventory and configuration as continuously monitored assets, not one-time deployment checklists. That starts with discovery: traffic-based and code-based scanning to build a complete inventory of every API, including the shadow and zombie endpoints that never made it into official documentation. From there, configurations need to be validated against a defined baseline — OpenAPI/Swagger specs checked for authentication requirements on every route, CORS policies linted for wildcard origins, and cloud API gateway rules diffed against known-good states so drift gets flagged the moment it happens, not months later. Rate limiting and schema validation belong at the gateway layer by default, not bolted on after an incident. Because most of these issues originate in infrastructure-as-code and gateway configs rather than application logic, the highest-leverage fix is catching them in the CI/CD pipeline, before a misconfigured route is ever routable from the internet — which is a fundamentally different problem than finding it after it's already live and indexed by an attacker's scanner.

How Safeguard Helps

Safeguard closes the gap between finding an API misconfiguration and knowing whether it actually matters. Reachability analysis maps which exposed endpoints and misconfigured routes are actually callable from the internet or reachable through your live code paths, so security teams stop chasing theoretical exposure and focus on the handful of findings that represent real risk. Griffin AI triages those findings against your SBOM inventory — generated automatically or ingested from existing sources — to correlate a misconfigured API with the vulnerable or outdated components sitting behind it, cutting through noise that would otherwise take an analyst hours to piece together manually. When a fix is identified, whether it's tightening a CORS policy, enforcing an authentication middleware, or patching a component version, Safeguard opens an auto-fix pull request directly against the relevant service repo, so the remediation ships in the same workflow developers already use rather than sitting in a backlog.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.