Researchers have discovered the vulnerability in an API already integrated into many bank systems, which could have defrauded millions of users by giving attackers access to their money.
A server-side request forgery (SSRF) flaw in an API of a large financial technology (fintech) platform potentially could have compromised millions of bank customers, allowing attackers to defraud clients by controlling their bank accounts & funds, researchers have found.
Fund Transfer
A team at Salt Security’s Salt Labs identified the vulnerability in an API in a web page that supports the organisation’s platform fund transfer functionality, which allows clients to transfer money from their accounts on its platform into their bank accounts, researchers disclosed in a report
The company named “Acme Fintech” to preserve its anonymity–offers a “digital transformation” service for banks of all sizes, allowing the institutions to switch traditional banking services to online services.
The platform already has been actively integrated into many banks’ systems & thus has millions of active daily users, researchers suggested.
Administrative Access
If the flaw had been exploited, attackers could have performed various bad activities by gaining administrative access to the banking system using the platform.
From there they could have leaked users’ personal data, accessed banking details & financial transactions, & performed unauthorised fund transfers into their own bank accounts, researchers commented.
After identifying the vulnerability, researchers reviewed their findings & provided recommended mitigation to the organisation, they explained.
Big Reward for Threat Players
API flaws are often overlooked, but researchers at Salt Labs outlined in the report that they “see vulnerabilities like this one & other API-related issues on a daily basis.”
5% of organisations experienced an API security incident in the past year, according to the company’s State of API Security report for the 1st quarter of 2022. This period also showed significant growth of malicious API traffic, they stated.
“Critical SSRF flaws are more common than many FinTech providers & banking institutions realise,” Yaniv Balmas, VP of Research for Salt Security suggested in a statement. “API attacks are becoming more frequent & complex.”
Prime Targets
Fintech companies are especially vulnerable to compromise because their customers partners rely on a vast network of APIs to drive interactions between various websites, mobile applications & custom integrations, among other systems, researchers stated.
This, in turn, makes them “prime targets by attackers looking to abuse API vulnerabilities” for several reasons, researchers wrote.
“One, their API landscape & overall functionality is very rich & complex, which leaves a lot of room for mistakes or overlooking details in development,” they wrote.
“Two, if a bad actor can successfully abuse this type of platform, the potential profits are huge, since it could allow control of millions of users’ bank accounts & funds.”
Vulnerability
Researchers discovered the problem while scanning & recording all traffic sent & received across the organisation’s website. On a page that connects clients to various banks so they can transfer funds to their bank accounts, researchers found an issue with the API the browser calls to manage the request.
“This specific API is using the endpoint located at ‘/workflows/tasks/{TASK_GUID}/values,’ the HTTP method used to call it is
PUT, & the specific request data is sent in the HTTP body section,” researchers explained.
Cryptographically Signed
The request body also carries a JWT Bearer token, which is a cryptographically signed key that lets the server know who is the requesting user & what permissions he has.
The defect was in the request parameters that send the required data for a funds transfer—specifically a parameter called “InstitutionURL,” researchers explained. This is a user-provided value that includes a URL pointing to some GUID value placed on the receiving bank website.
In this instance, the bank’s web server managed the user-supplied URL by trying to contact the URL itself, allowing for a SSRF in which the web server still tried to call an arbitrary URL if it was put into the code instead of the appropriate bank’s URL, researchers explained.
Exposing the Flaw
Researchers showed this defect by creating a ‘malformed request’ containing their own domain. The connection coming into their server was made successfully, proving that “the server blindly trusts domains provided to it in this parameter & issues a request to that URL,” they observed.
Also, the request that came into their server included a JWT token used for authentication, which turned out to be a different one than the token included in the original request.
Researchers placed the new JWT token into a request they had previously encountered to an endpoint named “/accounts/account,” which had let them retrieve information from a bank account. This time they returned even more information, they revealed.
Administrative Token
“The API endpoint recognised our new JWT administrative token & very gracefully returned a list of every user & its details across the platform,” researchers revealed.
Trying the request again to an endpoint named “/transactions/transactions” with the new token also let them access a list of all transactions made by every user on the banking system, they said.
Critical Flaw
“This vulnerability is a critical flaw, one that completely compromises every bank user,” researchers observed. “Had bad actors discovered this vulnerability, they could have caused severe damage for both the organisation & its users.”
Salt Labs hopes that highlighting API threats will make security practitioners take a closer look at how their systems may be vulnerable in this way, Balmas concluded.
