Info DisclosureCVSS 6.5medium
9 min read
Publishing Your Complete API Surface by Accident
During a black-box assessment of a global infrastructure provider, publicly accessible OpenAPI specification files revealed the complete internal API surface of multiple services — including endpoints, authentication schemes, request parameters, and response schemas for operations that had no business being documented for public consumption. This is how they were found, what they disclosed, and why specification files sitting on the open internet represent a more serious risk than most organizations acknowledge.
Read case