Salt Security Finds API Security Flaw on Cryptocurrency Platform That Could Have Allowed Millions in Crypto Wallet Theft – PR Newswire
Salt Labs identified an authentication flaw that could have enabled large-scale account takeover (ATO)
PALO ALTO, Calif., July 7, 2022 /PRNewswire/ — Salt Security, the leading API security company, today released new API threat research from Salt Labs that highlights an API security vulnerability discovered on a large online cryptocurrency wallet platform. Serving two…….
Salt Labs identified an authentication flaw that could have enabled large-scale account takeover (ATO)
PALO ALTO, Calif., July 7, 2022 /PRNewswire/ — Salt Security, the leading API security company, today released new API threat research from Salt Labs that highlights an API security vulnerability discovered on a large online cryptocurrency wallet platform. Serving two million users worldwide, the platform provides a wide range of services enabling customers to buy and exchange cryptocurrencies online. The API security flaw discovered by Salt Labs, tied to external authentication logins, could allow for large-scale account takeover (ATO) attacks on any customer’s account. The vulnerability could have allowed for hundreds of millions to be stolen from crypto currency wallets.
Salt Labs’ researchers discovered the vulnerability in the “User Login” functionality of the platform specifically when using the Google authentication feature. Like many external authentication methods, Google utilizes a standard OpenID Connect (OIDC), which is an extension to another common authorization standard, OAuth 2.0. The cryptocurrency platform failed to implement OIDC correctly, allowing the user authentication ID request to be sent to the application server and not the OIDC service exclusively.
The vulnerability identified could have allowed bad actors to:
- Transfer account balances to a user’s cryptocurrency wallet or private bank account
- Take over a large portion of a user’s account in the system
- Gain complete access to a user’s account and transfer funds to any location of their choice, as well as perform any other financial action on behalf of that user
“Cryptocurrency platforms rely on APIs for the data connectivity that powers their online services,” said Yaniv Balmas, VP of Research, Salt Security. “The Salt Labs research demonstrates the dangers that an API misconfiguration can cause and highlights the need for stronger visibility into these vast API ecosystems in order to protect critical services and customers’ valuable data. Even a minor security flaw holds the potential to devastate a business.”
Cryptocurrency platforms represent a huge target for attackers, evidenced again by last week’s theft of $100 million in cryptocurrency from Horizon, a blockchain bridge developed by crypto start-up Harmony.
According to the Salt Security State of API Security Report, Q1 2022, 95% of organizations experienced an API security incident in the past 12 months. The API ecosystems of cryptocurrency platforms are vast, providing customers access to their crypto wallets and enabling them to purchase, exchange, borrow and earn additional cryptocurrencies easily. The cryptocurrency platform evaluated by Salt Labs was susceptible to two common API issues:
- Security misconfiguration (API-7)
- Lack of resource and rate limiting (API-4)
Upon discovering the vulnerability, Salt Labs’ researchers followed coordinated disclosure practices, and all issues have been remediated.
The Salt Security API Protection Platform addresses the types of vulnerabilities identified in this cryptocurrency platform and other potential attacks in the OWASP API Top 10 list. As the only API security solution to utilize cloud-scale big data, artificial intelligence (AI) and machine learning (ML), the Salt Security platform baselines the activity of millions of users and API calls across 100s of attributes in near real time. As a result, it can detect the reconnaissance activity of bad actors and block them before they can reach their objective. Through its unique API Context Engine (ACE) architecture, the Salt API Protection Platform protects APIs across build, deploy and runtime phases – it discovers all APIs and the sensitive data that they expose, pinpoints and stops API attackers, and provides remediation insights learned during runtime that developers can use to harden APIs.
The full report, including how Salt Labs conducted this research and steps for mitigation, is available here.
To learn more about Salt Security, its platform, or to request a demo, please visit https://content.salt.security/demo.html.
About Salt Security
Salt Security protects the APIs that form the core of every modern application. Its API Protection Platform is the industry’s first patented solution to prevent the next generation of API attacks, using machine learning and AI to automatically and continuously identify and protect APIs. Only Salt Security has the ability to correlate activities across millions of APIs and users over time and provide real-time analysis of all that data. Deployed in minutes, the Salt Security platform learns the granular behavior of a company’s APIs and requires no configuration or customization to pinpoint and block API attackers. For more information, please visit: https://salt.security
Press Contact
Dex Polizzi
Lumina Communications
[email protected]
SOURCE Salt Security
