Salt Security Finds Massive API Security Flaw on a Cryptocurrency Platform

Highlights

• Salt Labs identified an authentication flaw that could have enabled large-scale account takeover (ATO)
• In the previous 12 months, 95% of firms reported experiencing an API security problem.

Salt Security, an API Security provider, published a new API threat research from Salt Labs, highlighting an API security vulnerability seen on a large online cryptocurrency wallet platform. The platform offers various services that allow users to buy and exchange cryptocurrencies online. It serves two million users globally and manages more than 150,000 Bitcoin, which, at the current BTC trade price, is worth over USD 3 billion. The API security flaw identified by Salt Labs, linked to authentic external logins, could allow large-scale Account Takeover (ATO) attacks on any customer’s account.

Researchers from Salt Labs found the flaw in the platform’s “User Login” capability, notably while using the Google authentication tool. Google uses a standard OpenID Connect (OIDC), an extension to another widely used authorization standard, OAuth 2.0, like many other external authentication methods. The user authentication ID request was sent to the application server rather than the OIDC service exclusively because the crypto platform failed to implement OIDC correctly.

By connecting several assaults that Salt Labs researched, the researchers could access any system account using Google authentication as the login method, which applies to many system users. Once the researchers gain access to a user’s accounts, they might be able to use any features offered to the user, including money transfers, viewing transaction histories, viewing the user’s personal information (including name, address, and bank account number), as well as other useful information. According to Salt Security, the flaw might be the reason for hundreds of millions being taken from cryptocurrency wallets.

API problems are not rare

In the past year, 95% of firms reported experiencing an API security problem. Cryptocurrency platforms have extensive API ecosystems that give users access to their wallets and make buying, selling, borrowing, and earning more cryptocurrencies simple. The Salt Labs-tested bitcoin platform was vulnerable to two typical API problems: Security misconfiguration (API-7) and lack of resources and rate-limiting (API-4).

This most recent study by Salt Labs noted API security as a crucial component of any modern service, one that must be carefully researched and addressed as part of the service design. Implementing and configuring API-related functionality incorrectly can have serious repercussions and even occasionally destroy security solutions that are thought to be “bulletproof” or industry standards.

Following their coordinated disclosure procedure, Salt Security informed the service of these issues. When this research was published, all problems had been overcome, and they had also helped in locating a suitable technical solution.