Updated: Jul 14
The API security flaw could have allowed for large-scale account takeover attacks of any customer account
Israeli API security company Salt Security released new API threat research from Salt Labs that highlights a vulnerability discovered on a large online cryptocurrency wallet platform. Serving two million users worldwide, the platform provides a wide range of services enabling customers to buy and exchange cryptocurrencies online.
The API security flaw discovered by Salt Labs, tied to external authentication logins, could have allowed for large-scale account takeover (ATO) attacks on any customer account. The vulnerability could have allowed for hundreds of millions to be stolen from crypto currency wallets.
According to the company, Salt Labs' researchers discovered the vulnerability in the "User Login" functionality of the platform specifically when using the Google authentication feature.
Like many external authentication methods, Google utilizes a standard OpenID Connect (OIDC), which is an extension to another common authorization standard, OAuth 2.0.
The cryptocurrency platform failed to implement OIDC correctly, allowing the user authentication ID request to be sent to the application server and not the OIDC service exclusively.
The vulnerability identified could have allowed bad actors to transfer account balances to a user's cryptocurrency wallet or private bank account, take over a large portion of a user's account in the system, and gain complete access to a user's account and transfer funds to any location of their choice, as well as perform any other financial action on behalf of that user
"Cryptocurrency platforms rely on APIs for the data connectivity that powers their online services," said Yaniv Balmas, VP of Research, Salt Security.
"The Salt Labs research demonstrates the dangers that an API misconfiguration can cause and highlights the need for stronger visibility into these vast API ecosystems in order to protect critical services and customers' valuable data. Even a minor security flaw holds the potential to devastate a business."
Cryptocurrency platforms represent a huge target for attackers, evidenced again by the recent theft of $100 million in cryptocurrency from Horizon, a blockchain bridge developed by crypto start-up Harmony.
According to the Salt Security State of API Security Report, Q1 2022, 95% of organizations experienced an API security incident in the past 12 months. The API ecosystems of cryptocurrency platforms are vast, providing customers access to their crypto wallets and enabling them to purchase, exchange, borrow, and earn additional cryptocurrencies easily.
The cryptocurrency platform evaluated by Salt Labs was susceptible to two common API issues: security misconfiguration, and lack of resource and rate limiting.
Upon discovering the vulnerability, Salt Labs' researchers followed coordinated disclosure practices, and all issues have been remediated.