Salt Labs Discovered an Authentication Error That Could Have Allowed a Mass Account Takeover (ATO)
PALO ALTO, California.† July 7, 2022 /PRNewswire/ — Salt Safetythe leader in API security, today released new research on API threats from: Salt labs highlighting an API security vulnerability discovered on a major online cryptocurrency wallet platform. The platform serves two million users worldwide and provides customers with a wide range of services to buy and trade cryptocurrencies online. The API security flaw discovered by Salt Labs related to third-party authentication logins could allow large-scale Account Takeover (ATO) attacks on any customer’s account. The vulnerability had allowed the theft of hundreds of millions of dollars from cryptocurrency wallets.
Salt Labs researchers discovered the vulnerability in the platform’s “User Login” feature, particularly when using Google’s authentication feature. Like many third-party authentication methods, Google uses an OpenID Connect (OIDC) standard, which is an extension of another widely used authentication standard, OAuth 2.0. The cryptocurrency platform was unable to implement OIDC correctly, allowing the user authentication ID request to be sent to the application server and not exclusively to the OIDC service.
The identified vulnerability allowed malicious actors to:
- Transfer account balances to a user’s cryptocurrency wallet or private bank account
- Support a large part of a user’s account in the system
- Gain full access to a user’s account and transfer funds to a location of their choice, as well as perform other financial actions on that user’s behalf
“Cryptocurrency platforms rely on data connectivity APIs that power their online services,” said Yaniv Balmas, vice president of research, Salt Security. “Salt Labs research shows the dangers that API misconfiguration can cause and underscores the need for greater insight into these vast API ecosystems to protect critical services and valuable customer data. Even a minor security breach can potentially devastate a business.”
Cryptocurrency platforms are a huge target for attackers, again proven by last week’s theft $100 million in cryptocurrency from Horizon, a blockchain bridge developed by crypto startup Harmony.
According to Salt Security State of API Security Report, Q1 2022, 95% of organizations have experienced an API security incident in the past 12 months. The API ecosystems of cryptocurrency platforms are vast, allowing customers to access their crypto wallets and make it easy for them to buy, trade, borrow and earn additional cryptocurrencies. The cryptocurrency platform reviewed by Salt Labs was prone to two common API issues:
- Security Misconfiguration (API-7)
- Lack of Resources and Speed Limit (API-4)
After discovering the vulnerability, Salt Labs researchers followed coordinated disclosure practices and all issues were resolved.
The Salt Security API Protection Platform addresses the types of vulnerabilities identified in this cryptocurrency platform and other potential attacks in the Top 10 OWASP APIs list. As the only API security solution that leverages big data, artificial intelligence (AI), and machine learning (ML) at cloud scale, the Salt Security Platform powers the business of millions of users and API calls on hundreds of attributes in near real time. As a result, it can detect and block the scouting activity of bad actors before they reach their target. With its unique API Context Engine (ACE) architecture, the Salt API Protection Platform protects APIs at build, deploy, and runtime – discovering all APIs and the sensitive data they expose, identifying and stopping API attackers, and providing runtime learned remediation information developers can use to strengthen APIs.
The full report, including how Salt Labs conducted this investigation and mitigation actions, is available here†
To learn more about Salt Security, the platform, or to request a demo, visit: https://content.salt.security/demo.html†
About salt protection
Salt Security protects the APIs that are at the heart of any modern application. The API Protection Platform is the industry’s first proprietary solution to prevent next-generation API attacks, using machine learning and AI to automatically and continuously identify and protect APIs. Only Salt Security can correlate the activities of millions of APIs and users over time and provide real-time analysis of all that data. Deployed in minutes, the Salt Security platform learns the detailed behavior of an organization’s APIs and requires no configuration or customization to identify and block API attackers. For more information, visit: https://salt.security
SOURCE Salt Protection