Salt Labs’ researchers discovered the vulnerability in the “User Login” functionality of the platform specifically when using the Google authentication feature. Like many external authentication methods, Google utilizes a standard OpenID Connect (OIDC), which is an extension to another common authorization standard, OAuth 2.0. The cryptocurrency platform failed to implement OIDC correctly, allowing the user authentication ID request to be sent to the application server and not the OIDC service exclusively.
The vulnerability identified could have allowed bad actors to:
-
Transfer account balances to a user’s cryptocurrency wallet or private bank account
-
Take over a large portion of a user's account in the system
-
Gain complete access to a user’s account and transfer funds to any location of their choice, as well as perform any other financial action on behalf of that user
“Cryptocurrency platforms rely on APIs for the data connectivity that powers their online services,” said Yaniv Balmas, VP of Research, Salt Security. “The Salt Labs research demonstrates the dangers that an API misconfiguration can cause and highlights the need for stronger visibility into these vast API ecosystems in order to protect critical services and customers’ valuable data. Even a minor security flaw holds the potential to devastate a business.”
Cryptocurrency platforms represent a huge target for attackers, evidenced again by last week’s theft of $100 million in cryptocurrency from Horizon, a blockchain bridge developed by crypto start-up Harmony.
According to the Salt Security State of API Security Report, Q1 2022, 95% of organizations experienced an API security incident in the past 12 months. The API ecosystems of cryptocurrency platforms are vast, providing customers access to their crypto wallets and enabling them to purchase, exchange, borrow and earn additional cryptocurrencies easily. The cryptocurrency platform evaluated by Salt Labs was susceptible to two common API issues:
-
Security misconfiguration (API-7)
-
Lack of resource and rate limiting (API-4)
Upon discovering the vulnerability, Salt Labs’ researchers followed coordinated disclosure practices, and all issues have been remediated.
The Salt Security API Protection Platform addresses the types of vulnerabilities identified in this cryptocurrency platform and other potential attacks in the OWASP API Top 10 list. As the only API security solution to utilize cloud-scale big data, artificial intelligence (AI) and machine learning (ML), the Salt Security platform baselines the activity of millions of users and API calls across 100s of attributes in near real time. As a result, it can detect the reconnaissance activity of bad actors and block them before they can reach their objective. Through its unique API Context Engine (ACE) architecture, the Salt API Protection Platform protects APIs across build, deploy and runtime phases – it discovers all APIs and the sensitive data that they expose, pinpoints and stops API attackers, and provides remediation insights learned during runtime that developers can use to harden APIs.