We’re excited to bring Transform 2022 back in person on July 19 and pretty much July 20-28. Join AI and data leaders for insightful conversations and exciting networking opportunities. Register today†
API security provider salt protection has published new research on API threats from: Salt Labs that emphasizes a API Security Vulnerability discovered on a major online cryptocurrency wallet platform. Serving two million users worldwide, the platform manages more than 150,000 Bitcoin, valued at over $3 billion at the current BTC trading price, and offers a wide range of services that allow customers to buy and exchange cryptocurrency online† The API security flaw discovered by Salt Labs, associated with third-party authentication logins, could enable large-scale Account Takeover (ATO) attacks on any customer’s account.
Salt Labs researchers discovered the vulnerability in the platform’s “User Login” functionality, specifically when using the Google authentication feature. Like many other third-party authentication methods, Google uses an OpenID Connect (OIDC) standard, which is an extension of another widely used authentication standard, OAuth 2.0. The cryptocurrency platform was unable to implement OIDC correctly, allowing the user authentication ID request to be sent to the application server and not exclusively to the OIDC service.
Salt Labs studied a series of attacks, and by linking them together, the researchers were able to take over any account in the system that uses Google authentication as the login type, which applies to a very large number of users in the system. After successfully logging into a user’s accounts, the researchers may have been able to use all the features available to the user, including wire transfers, view transaction history, view user’s details. personal information (including name, address, bank account number) and other valuable data. Salt Security believes the vulnerability could potentially steal hundreds of millions from cryptocurrency wallets.
According to the report, 95% of organizations have experienced an API security incident in the past 12 months. The API ecosystems of cryptocurrency platforms are vast and provide customers with access to their crypto wallets and allow them to easily buy, exchange, borrow and earn additional cryptocurrencies. The cryptocurrency platform evaluated by Salt Labs was prone to two common API issues: security misconfiguration (API-7) and lack of resource and speed throttling (API-4).
This latest Salt Labs investigation into this crypto platform shows that API security is a critical part of any modern service, and one that should be carefully considered and addressed as part of service design. Improper implementation and misconfiguration of API-related functionality can have serious consequences and sometimes even break completely with security solutions that are considered industry standard or ‘bulletproof’.
Salt Security followed their coordinated disclosure process and notified the agency of these issues. They also helped to find an appropriate technical solution and all issues have been resolved at the time of the release of this study.
Read the full report by Salt Security.
The mission of VentureBeat is a digital city square for technical decision-makers to gain knowledge about transformative business technology and transactions. Learn more about membership.