Whitepaper

Security findings
& technical research.

Our engineering team documents real-world security findings, API analysis, and technical insights from building automation systems for Singapore SMEs. Published responsibly.

Featured Finding

Excessive Data Exposure in Common SME API Calls

Security

During integration work for Singapore SME clients, our team identified a recurring pattern: third-party business APIs returning significantly more data in their responses than the application requests or displays. This over-fetching creates silent data exposure risks that most businesses are unaware of.

Published April 2025
8 min read
High Impact

Contents

What is excessive data exposure?

Excessive data exposure occurs when an API endpoint returns more fields in its response payload than the client application needs or requests. Unlike a data breach, this often happens by design — the API was built to return a comprehensive object, and the developer simply ignores the extra fields in the UI layer.

The problem: those extra fields are still transmitted, still logged, and still accessible to anyone who inspects the network traffic — including malicious actors, misconfigured proxies, or third-party analytics scripts running on the same page.

OWASP API3:2023

Real-world example: POS system API

While integrating a point-of-sale system for a retail client, we observed a standard product lookup request returning the following response. The application displayed only the product name and price — but every page load transmitted the full object to the browser:

// Request: GET /api/products/12345 // Displayed in UI: product name, price only // Actual API response (abbreviated): { "product_id": "12345", "name": "Blue Widget", "price": 29.90, "stock": 142, // Fields below not shown in UI but present in every response: "supplier_name": "ABC Wholesale Pte Ltd", "supplier_contact": "65-XXXX-XXXX", "cost_price": 8.50, // gross margin fully exposed "internal_sku": "WH-BLU-142-SG", "last_modified_by": "[email protected]", "warehouse_location": "Block 3, Unit 12-04" }

Every visitor's browser received cost prices, supplier contacts, staff email addresses, and warehouse locations with every product page load. None of this was visible to the user — but all of it was readable in the browser's developer tools with no authentication required.

Business Impact: High

Why this matters for Singapore SMEs

For larger enterprises, security teams typically audit API contracts before deployment. For Singapore SMEs using off-the-shelf software or low-code platforms, this audit rarely happens. Our findings across multiple integrations show this pattern is prevalent in point-of-sale systems, inventory management APIs, HR and payroll platforms, e-commerce backends, and WhatsApp Business API wrappers.

From a PDPA perspective, unnecessarily transmitting employee email addresses, supplier contacts, or customer data in API responses — even if not rendered on screen — may constitute a compliance risk if that data is intercepted or captured by third-party services such as analytics, CDN logs, or browser extensions.

PDPA Relevance

Recommendations

For businesses and developers integrating APIs into their workflows:

// 1. Audit your API responses — not just what the UI displays // Open DevTools → Network tab → inspect each API call's response body // 2. Implement response filtering at the API layer // Return only the fields the client needs (field masking / projection) // 3. Classify every field in your data model // PUBLIC | INTERNAL | CONFIDENTIAL | RESTRICTED // Enforce that CONFIDENTIAL / RESTRICTED never appear in client-facing responses // 4. If you cannot modify the API, add a server-side proxy layer // Strip sensitive fields before they reach the browser

If you are using a third-party SaaS product and cannot modify the API response directly, consider a middleware proxy layer that filters fields before they reach the client. We have built this pattern for several clients as part of our customised automation work.

More Research

API Research

WhatsApp Business API: Rate Limits & Abuse Vectors

An analysis of undocumented rate limit behaviours in the WhatsApp Business API and their implications for bot reliability and potential abuse patterns.

March 2025
5 min read
Medium
Read finding
Security

Webhook Validation: Most SME Integrations Skip It

We audited 20 webhook-based integrations across common SME tools. 14 had no signature validation — making them susceptible to request forgery attacks.

February 2025
6 min read
High
Read finding
Privacy

PDPA Compliance Gaps in Common Automation Stacks

A review of how customer data flows through popular automation platforms (Make, Zapier, n8n) and where PDPA obligations become ambiguous for Singapore businesses.

January 2025
7 min read
Medium
Read finding
API Research

Google Workspace API Scopes: Least-Privilege Audit

Many automation integrations request overly broad Google OAuth scopes. We document what is actually required versus what is commonly requested in production setups.

December 2024
4 min read
Low
Read finding