Why Your Deprecated Endpoints Are an Attacker's Best Friend The Rise of Ghost APIs
Why Your Deprecated Endpoints Are an Attacker’s Best Friend: The Rise of Ghost APIs
Ghost APIs are deprecated endpoints that remain live and accessible; policy says dead, reality says otherwise. Unlike Shadow APIs (unknown to the organization), Ghost APIs are known but never enforced off. Legacy endpoints predate MFA, zero-trust, and modern authentication, making them ideal attack targets. Real-world breaches, including the 2022 Optus incident exposing 9.5 million records, trace directly to forgotten, unenforced API endpoints. The 2022 Optus breach saw an API endpoint originally built to serve customer data via a subdomain rendered effectively unauthenticated by a coding error introduced in 2018. The endpoint was never deprecated, never removed, and never monitored. Four years later, an attacker discovered it, queried it without credentials using nothing more sophisticated than trial and error, and walked away with the personal records of 9.5 million Australians. 🚨
Ghost APIs’ legacy endpoints that remain accessible long after they have been officially deprecated represent a growing and largely unaddressed security debt. They are not a niche problem. They are a structural failure in how cloud-scale systems manage their own lifecycle. The T-Mobile API breach of 2023, in which an attacker silently exfiltrated data from 37 million accounts over 40 days through an insufficiently governed API, illustrates how long these gaps can go undetected even at organizations with dedicated security teams. Several dynamics reinforce this failure, including long-tail consumers continuing to use deprecated endpoints and incomplete dependency maps. Additionally, AI-assisted development tools can silently resurrect deprecated API calls by drawing on training data that predates the deprecation. 🤖
Attackers commonly use several techniques to surface Ghost APIs. Directory brute-forcing involves automated tools probing for predictable versioning patterns. The Wayback Machine and similar services cache old API documentation, allowing an attacker to retrieve full endpoint structures. Hardcoded and weak credentials, often found in older endpoints, are easier to extract from old client binaries. GenAI-assisted reconnaissance is where the threat surface has shifted materially. Large language models trained on public data have absorbed years of API documentation. An attacker can prompt an LLM to reconstruct the likely endpoint structure, parameter names, and authentication patterns of a deprecated API based on nothing more than the service name and approximate era. 🔍
Ghost APIs are active security liabilities because APIs built years ago predate modern security controls like MFA and zero-trust. This creates a structural misalignment. A deprecated API is a policy state. An inaccessible API is a security state. The gap between those two states is where Ghost APIs live and where attackers operate. Three actionable steps are recommended for remediation:
- Deploy service mesh tooling to capture traffic hitting endpoints that have no active documentation or ownership.
- Use Scream Testing by disabling a deprecated endpoint for 24 to 48 hours and monitoring for legitimate complaints.
- Finally, transition from broad, long-lived API keys to short-lived, identity-scoped tokens. 🔒