Salt Labs has identified an authentication error that could have enabled a large-scale account takeover (ATO)
PALO ALTO, California, July 7, 2022 / PRNewswire / – Salt safetyleader in API security, today released new research on API threats from Salt laboratories which highlights an API security vulnerability discovered on a major online cryptocurrency wallet platform. The platform serves two million users worldwide and offers a wide range of services so that customers can buy and trade cryptocurrencies online. The API security vulnerability discovered by Salt Labs, related to remote authentication logins, could allow large-scale account takeover (ATO) attacks on any customer’s account. The vulnerability could have allowed the theft of hundreds of millions of dollars from cryptocurrency wallets.
Salt Labs researchers discovered the vulnerability in the platform’s “User Login” feature, especially when using Google’s authentication feature. Like many external authentication methods, Google uses an OpenID Connect standard (OIDC), which is an extension of another common authentication standard, OAuth 2.0. The cryptocurrency platform could not implement OIDC correctly, which allowed the user authentication ID request to be sent to the application server and not exclusively to the OIDC service.
The identified vulnerability could have enabled malicious actors to:
- Transfer account balances to a user’s wallet or private bank account
- Support a large portion of a user’s account in the system
- Get full access to a user’s account and transfer money to any location of your choice, as well as perform any other financial action on behalf of that user
“Cryptocurrency platforms rely on data connection APIs that run their online services,” he said. Yaniv Balmas, Vice President of Research, Salt Security. “Salt Labs research shows the dangers that API misconfiguration can cause and emphasizes the need for greater visibility in these huge API ecosystems to protect critical services and valuable customer data. Even a minor security breach can potentially ruin a business.”
Cryptocurrency platforms are a big target for attackers, again proven by last week’s theft $ 100 million in cryptocurrency from Horizon, a blockchain bridge developed by cryptocurrency startup Harmony.
According to Salt Security State of API Security Report, Q1 2022, 95% of organizations have experienced an API security incident within the last 12 months. The API ecosystems of cryptocurrency platforms are huge, giving customers access to their cryptocurrency wallets, enabling them to easily buy, trade, borrow and earn additional cryptocurrencies. The Salt Labs-notified cryptocurrency platform was susceptible to two common API issues:
- Security Configuration Error (API-7)
- Lack of resources and speed limit (API-4)
After discovering the vulnerability, Salt Labs researchers followed coordinated disclosure practices and all issues were resolved.
That Salt Security API protection platform addresses the types of vulnerabilities identified in this cryptocurrency platform and other potential attacks in Top 10 OWASP APIs listing. As the only API security solution to use big data, cloud-based artificial intelligence (AI) and machine learning (ML), the Salt Security Platform runs the business of millions of users and the API calls on hundreds of attributes in near real time. As a result, it can detect bad actors’ reconnaissance activity and block them before they reach their goal. With its unique API Context Engine (ACE) architecture, the Salt API Protection Platform protects APIs during build, deployment and runtime – detects all APIs and sensitive data they detect, identifies and stops API attackers and provides runtime learning remedial information that developers can use to harden APIs.
The full report, including how Salt Labs conducted this research and mitigation measures, is available here.
To learn more about Salt Security, its platform, or to request a demo, please visit https://content.salt.security/demo.html.
About Salt Security
Salt Security protects the APIs that make up the heart of any modern application. Its API Protection Platform is the industry’s first patented solution to prevent the next generation of API attacks by using machine learning and AI to automatically and continuously identify and protect APIs. Only Salt Security has the ability to correlate the activities of millions of APIs and users over time and provide real-time analysis of all this data. Rolled out in minutes, the Salt Security platform learns the granular behavior of an organization’s APIs and requires no configuration or customization to identify and block API attackers. For more information, please visit: https://salt.security
SOURCE Salt safety