Cloud services allow third-party access to applications and data through so-called Web application programming interfaces, or APIs. Yet, many application developers fail to properly secure such access, putting the application and the underlying data at risk, say security experts.

In October, researchers from the University of Texas at Austin and Stanford University surveyed a variety of high-profile Web services and found that the interfaces exposed to third-party developers contained significant vulnerabilities. Payment services at Amazon and PayPal, the Trillian instant messaging service, the Chase mobile banking service and other Web applications all have flaws in their implementation of the secure sockets layer (SSL) protocol that weaken their security when accessed through the APIs meant for non-browser applications, the researchers found.

The result are applications that can be fooled into allowing some access to a customer's data through the API, according to a paper presented at the 19th ACM Conference on Computer and Communications Security.