Many of the web sites that we examine here in the Foregenix Forensics Lab use third-party APIs to build their web applications, especially with regards to the handling and processing of customers payment card data. We also see many sites running out of date applications such as PHP 5.5 or less.
As the attached article explains, SSL API certificates are not being validated correctly when returned from the API server and therefore are leaving eCommerce web sites susceptible to Man-In-The-Middle attacks.
Anyone using PHP as their development language should be aware that version 5.5 and below does not implement TLS correctly and therefore should be upgraded to PHP 5.6. Read more on upgrading.
Web developers today rely on various third-party APIs. For example, these APIs allow you to accept credit card payments, integrate a social network with your website, or clear your CDN’s cache. The HTTPS protocol is used to secure the connection with the API server. However, if your web app doesn’t verify the TLS certificate, a malicious person can steal your passwords or your customers’ credit card numbers