Blog, events & news

Could a Flurry of Interactions Be Skewing Your Metrics?

By Netacea / 30th Oct 2020

APIs served as part of web and mobile applications are vital to enabling customers to interact with your business. However, it’s important to understand the impact on your business when these APIs are used in new, non-standard and potentially unintended ways. While APIs are usually written and intended for use with certain frontends (i.e. web application or mobile app), they are served publicly on the internet and are open to inspection by any interested party. They are also, therefore, open to abuse.

Often the abuse of APIs is obviously malicious – probing for vulnerabilities and circumventing protections against unauthorized access – but legitimate functionality can also be misused in ways that can have a detrimental effect. Recently, a developer (Rashiq) launched a service on Twitter that lets users know which McDonalds restaurants in the US have a broken ice-cream machine and which have a functioning ice-cream machine.

Source: https://twitter.com/rashiq/status/1319346264992026624

To do this, he exploited legitimate functionality in McDonalds API for their mobile ordering application. The API had logic built in so that users cannot add ice-cream to their cart in restaurants where the machine was not working. This feature was likely added to save the frustration of users trying to buy products that are unavailable – but this totally legitimate functionality is open to abuse for unintended means. Rashiq could make an application that tried to do this in every restaurant across the country, map out the valid/invalid responses and map which restaurants had a functioning machine. Every minute, according to Rashiq’s post, his crawler added $18,752 worth of ice-cream to baskets around the US.

This example is a novelty use of an API, but this could have very real consequences for the business. Analytics and data retrieved through APIs help businesses make decisions and when that data is skewed in such a dramatic fashion, and those decisions could be problematic. In this case, the developer in question calls attention to this very problem:

Could a flurry of interactions be skewing your metrics 2

Source: https://twitter.com/rashiq/status/1319347626798731264

A key question that all companies with web applications need to ask themselves, is do they have visibility of potential misuses of functionality?

As this example illustrates, APIs can be misused for obscure (often entertaining) purposes. You should never assume that your imagination is as vast as the internet at large, and that you are immune to this sort of activity. Visibility and quantification of potential automated use of APIs are essential to ensuring the good quality data and metrics required to make sound decisions.

Netacea’s server-side approach to bot management gives you comprehensive visibility of the elusive API layer, to ensure all traffic is detected and any malicious behaviour is quickly identified and mitigated.

Assess your bot management strategy with Netacea, to future-proof your infrastructure against the evolving bot threat.