API security company Salt Security has released new API vulnerability research from Salt Labs that details a Server-Side Request Forgery (SSRF) flaw discovered on a US-based FinTech company’s digital platform. The FinTech platform provides a wide range of digital banking services to hundreds of banks and millions of customers, and the API security vulnerability has the ability to allow administrative account takeover (ATO).
Bad actors could have used the flaw to launch attacks to: gain administrative access to the banking system, access users’ banking details and financial transactions, leak users’ personal data and perform unauthorized funds transfers into bad actors’ bank accounts.
The SSRF flaw was already actively integrated into many of the FinTech company’s systems and had the potential to compromise every user account and transaction data served by its customer banks. Upon discovering the vulnerability, Salt Labs followed coordinated disclosure practices, and all issues are now remediated. However, an abuse of this platform could have enabled attackers to control millions of users’ bank accounts and funds, resulting in significant financial losses and theft, fraud, and reputational damage.
In this instance, Salt Labs researchers could easily manipulate a number of these external interactions that require input values, such as URL values, that led to the SSRF discovery. Software and API developers should pay particular attention to user-controlled input values, adding validation and behavioral detection to protect data from SSRF attacks.