Image Credit: Getty Images

API Security provider Salt Security has published new API threat research from Salt Labs that highlights an API security vulnerability discovered on a large online cryptocurrency wallet platform. Serving two million users worldwide, and managing more than 150,000 Bitcoin, valued at over $3B according to current BTC trade price, the platform provides a wide range of services enabling customers to buy and exchange cryptocurrencies online. The API security flaw discovered by Salt Labs, tied to external authentication logins, could allow for large-scale account takeover (ATO) attacks on any customer’s account.

Salt Labs’ researchers discovered the vulnerability in the “User Login” functionality of the platform specifically when using the Google authentication feature. Like many external authentication methods, Google utilizes a standard OpenID Connect (OIDC), which is an extension to another common authorization standard, OAuth 2.0. The cryptocurrency platform failed to implement OIDC correctly, allowing the user authentication ID request to be sent to the application server and not the OIDC service exclusively.

Salt Labs studied a series of attacks, and by linking them, the researchers could take over any account in the system that is using Google authentication as the login type, which applies to a very large number of users in the system. Once they successfully logged in to a user’s accounts, the researchers could potentially use any functionality available to the user, including funds transfer, viewing transactions history, seeing the user’s personal data (which might include name, address, bank account number) and other valuable data. Salt Security believes that the vulnerability could have allowed for hundreds of millions to be stolen from crypto currency wallets.

According to the report, 95% of organizations experienced an API security incident in the past 12 months. The API ecosystems of cryptocurrency platforms are vast, providing customers access to their crypto wallets and enabling them to purchase, exchange, borrow and earn additional cryptocurrencies easily. The cryptocurrency platform evaluated by Salt Labs was susceptible to two common API issues: Security misconfiguration (API-7) and lack of resource and rate limiting (API-4).

This latest research Salt Labs research on this crypto platform demonstrates that API security is a critical part in any modern service, and one that needs to be carefully considered and addressed as part of the service design. Improper implementation and misconfiguration of API-related functionality may have severe consequences and at times could even completely break security solutions that are considered to be industry standard or “bullet proof.”

Salt Security followed their coordinated disclosure process and notified the service of these issues. They also assisted in finding an appropriate technical solution, and all issues have been resolved at the time of the release of this research. 

Read the full report by Salt Security.