Salt Security released new API vulnerability research from Salt Labs that details a Server-Side Request Forgery (SSRF) flaw discovered on a US-based FinTech company's digital platform. The FinTech platform provides a wide range of digital banking services to hundreds of banks and millions of customers, and the API security vulnerability has the ability to allow administrative account takeover (ATO). Bad actors could have used the flaw to launch attacks to:

• Gain administrative access to the banking system
• Access users' banking details and financial transactions
• Leak users' personal data
• Perform unauthorized funds transfers into bad actors' bank accounts
  

The SSRF flaw was already actively integrated into many of the FinTech company's systems and had the potential to compromise every user account and transaction data served by its customer banks. Upon discovering the vulnerability, Salt Labs followed coordinated disclosure practices, and all issues are now remediated. However, an abuse of this platform could have enabled attackers to control millions of users' bank accounts and funds, resulting in significant financial losses and theft, fraud, and reputational damage.

"Critical SSRF flaws are more common than many FinTech providers and banking institutions realize. Had bad actors discovered this vulnerability, they could have caused serious financial damage to all parties involved," said Yaniv Balmas, VP of Research, Salt Security. "API attacks are becoming more frequent and complex. Our Salt Labs researchers discover critical vulnerabilities that put entire companies at risk every day. By shining a light on these threats, we seek to continually educate security practitioners about potential vulnerabilities in their systems."

According to the Salt Security State of API Security Report, Q1 2022, 95% of organizations experienced an API security incident in the past 12 months. Additional research showed significant growth (681%) of malicious API traffic in the same period. The API ecosystems of FinTech and financial service providers are vast, with customers, banks, and credit unions relying on APIs to drive interactions across an intricate network of websites, mobile applications, custom integrations, webhooks, and more. 

In this instance, Salt Labs researchers could easily manipulate a number of these external interactions that require input values, such as URL values, that led to the SSRF discovery. Software and API developers should pay particular attention to user-controlled input values, adding validation and behavioral detection to protect data from SSRF attacks.

"Modern banking applications are under constant attack, yet APIs remain an underserved part of the changed attack surface. Defending against API attacks requires better security tooling that can detect the subtle probing activities of bad actors looking for business logic flaws," said Roey Eliyahu, CEO and co-founder, Salt Security. "In our experience, most companies are ill-prepared to defend against an API attack because traditional security tools such as web application firewalls (WAFs) and API gateways cannot detect API manipulation. The consequences can be severe, spanning both monetary and reputational damage."

The Salt Security API Protection Platform directly addresses the types of vulnerabilities that stem from flawed API implementations and the attacks listed in the OWASP API Top 10 list, including security misconfiguration and SSRF. As the first and only API security solution to utilize cloud-scale big data, artificial intelligence (AI) and machine learning (ML), the Salt Security platform baselines the activity of millions of users and API calls in parallel to detect the reconnaissance activity of bad actors and block them before they can reach their objective. Through its unique API Context Engine (ACE) architecture, the API Protection Platform protects APIs across build, deploy and runtime phases, discovers all APIs and the sensitive data that they expose, pinpoints and stops API attackers, and provides remediation insights learned during runtime that developers can use to harden APIs.

The full SSRF vulnerability report, including how Salt Labs conducted the research and steps for mitigation, is available.