Salt Labs has uncovered a Server-Side-Request Forgery on a major FinTech platform, enabling an administrative account takeover. Researchers identified API vulnerabilities allowing them to launch attacks where:
- Attackers could gain administrative access to the banking platform
- Attackers could leak users’ personal data
- Attackers could access users’ banking details and financial transactions
- Attackers could perform unauthorised funds transfers into their own bank accounts
This discovery is especially concerning as FinTech platforms are near-irresistible targets for threat actors. On the technical side, platforms such as this typically have incredibly rich and complex API environments, leaving a lot of room for error and entry points for attackers. The more obvious draw for hackers is that a successful abuse of a FinTech platform could result in enormous financial rewards, as they would gain access to millions of users’ bank accounts.
Avishai Avivi, CISO at SafeBreach, notes how this research should be a wakeup call for organisations that neglect their API security responsibilities:
“Salt Labs highlights the ‘soft underbelly’ of APIs. Companies invest most resources protecting their front-end processes, namely the websites, web, and mobile applications, but sadly neglect some of the much-required work on the backend, where their APIs live,” he said.
Avivi also pointed out that the oft-neglected backend APIs allow businesses more access to their partners than their customers do on the front end.
“It is also a side typically not directly tested as part of penetration testing that most companies engage in. This makes it a very appealing target to hackers, who can leverage some of the implicit trust in their APIs. The Open Web Application Security Project (OWASP) published its top ten API security issues in 2019, and companies are still playing catch up,” he continued.
In the full report, Salt Labs pointed out that it’s exceedingly unlikely that this is an isolated incident.
“We at Salt Labs see vulnerabilities like this one and other API-related issues on a daily basis,” the security vendor said.