Salt Security, an API security company, released new API vulnerability research from Salt Labs that details a Server-Side Request Forgery (SSRF) flaw discovered on a U.S.-based FinTech company’s digital platform. The FinTech platform provides a range of digital banking services to hundreds of banks and millions of customers, and the API security vulnerability has the ability to allow administrative account takeover (ATO).
Bad actors could have used the flaw to launch attacks to:
- Gain administrative access to the banking system
- Access users’ banking details and financial transactions
- Leak users’ personal data
- Perform unauthorized funds transfers into bad actors’ bank accounts
The SSRF flaw was integrated into many of the FinTech company’s systems and had the potential to compromise every user account and transaction data served by its customer banks. Upon discovering the vulnerability, Salt Labs followed coordinated disclosure practices, and all issues now are remediated.
However, an abuse of this platform could have enabled attackers to control millions of users’ bank accounts and funds, resulting in significant financial losses and theft, fraud, and reputational damage.
“Critical SSRF flaws are more common than many FinTech providers and banking institutions realize. Had bad actors discovered this vulnerability, they could have caused serious financial damage to all parties involved,” said Yaniv Balmas, VP of Research, Salt Security. “API attacks are becoming more frequent and complex. Our Salt Labs researchers discover critical vulnerabilities that put entire companies at risk every day. By shining a light on these threats, we seek to continually educate security practitioners about potential vulnerabilities in their systems.”
According to the Salt Security State of API Security Report, Q1 2022, 95 percent of organizations experienced an API security incident in the past 12 months. Additional research showed significant growth (681 percent) of malicious API traffic in the same period.
The API ecosystems of FinTech and financial service providers are vast, with customers, banks and credit unions relying on APIs to drive interactions across an intricate network of websites, mobile applications, custom integrations, webhooks and more.
In this instance, Salt Labs researchers could manipulate several of these external interactions that require input values, such as URL values, that led to the SSRF discovery. Software and API developers should pay particular attention to user-controlled input values, adding validation and behavioral detection to protect data from SSRF attacks.
The Salt Security API Protection Platform addresses the types of vulnerabilities that stem from flawed API implementations and the attacks listed in the OWASP API Top 10 list, including security misconfiguration and SSRF.
The Salt API security solution uses cloud-scale big data, artificial intelligence (AI) and machine learning (ML). The platform baselines the activity of millions of users and API calls in parallel to detect the reconnaissance activity of bad actors and block them before they can reach their objective.
Through its API Context Engine (ACE) architecture, the API Protection Platform protects APIs across build, deploy and runtime phases, discovers all APIs and the sensitive data that they expose, pinpoints and stops API attackers, and provides remediation insights learned during runtime that developers can use to harden APIs.
To learn more about Salt Security, its platform, or to request a demo, visit https://content.salt.security/demo.html.