SSRF Flaw in Fintech Platform Allowed for Compromise of Bank Accounts

A server-side ask for forgery (SSRF) flaw in an API of a big economic technology (fintech) platform possibly could have compromised millions of bank buyers, allowing for attackers to defraud clients by controlling their financial institution accounts and resources, researchers have found.

A team at Salt Security’s Salt Labs determined the vulnerability in an API in a web site that supports the organization’s platform fund transfer operation, which makes it possible for clientele to transfer funds from their accounts on its platform into their bank accounts, researchers disclosed in a report posted Thursday.

The company in question—dubbed “Acme Fintech” to maintain its anonymity–offers a “digital transformation” assistance for banks of all measurements, allowing the institutions to swap common banking services to on the internet solutions. The platform previously has been actively integrated into numerous banks’ programs and hence has thousands and thousands of active each day customers, scientists mentioned.

If the flaw had been exploited, attackers could have performed many nefarious pursuits by gaining administrative obtain to the banking program applying the system. From there they could have leaked users’ individual info, accessed banking particulars and fiscal transactions, and performed unauthorized fund transfers into their very own bank accounts, scientists mentioned.

On identifying the vulnerability, researchers reviewed their findings and supplied suggested mitigation to the organization, they claimed.

Superior Reward for Risk Actors

API flaws are generally neglected, but scientists at Salt Labs mentioned in the report that they “see vulnerabilities like this a person and other API-linked issues on a day-to-day basis.”

Indeed, 5 % of businesses professional an API security incident in the previous 12 months, in accordance to the company’s State of API Security report for the first quarter of 2022. This interval also showed important expansion of destructive API website traffic, they mentioned.

“Critical SSRF flaws are more popular than numerous FinTech providers and banking establishments comprehend,” Yaniv Balmas, vice president of investigate for Salt Security reported in a press statement. “API attacks are starting to be additional frequent and sophisticated.”

Fintech providers are specifically susceptible to compromise due to the fact their customers and associates count on a extensive network of APIs to push interactions involving many websites, cell apps and customized integrations, between other techniques, scientists mentioned.

This, in turn, can make them “prime targets by attackers on the lookout to abuse API vulnerabilities” for a couple of factors, scientists wrote.

“One, their API landscape and in general operation is quite rich and intricate, which leaves a ton of area for problems or overlooking  particulars in growth,” they wrote. “Two, if a lousy actor can efficiently abuse this style of platform, the possible income are substantial, due to the fact it could permit command of millions of users’ bank accounts and money.”

The Vulnerability

Scientists learned the flaw though scanning and recording all website traffic sent and acquired across the organization’s web-site. On a website page that connects consumers to numerous banking institutions so they can transfer funds to their financial institution accounts, scientists discovered an issue with the API the browser phone calls to take care of the request.

“This unique API is making use of the endpoint located at ‘/workflows/responsibilities/Task_GUID/values,’ the HTTP process employed to get in touch with it is
Set, and the distinct request knowledge is sent in the HTTP overall body portion,” scientists defined.

The ask for human body also carries a JWT Bearer token, which is a cryptographically signed critical that lets the server know who is the requesting user and what permissions he has.

The flaw was in the request parameters that ship the expected data for a money transfer—specifically a parameter referred to as “InstitutionURL,” researchers defined. This is a consumer-furnished value that involves a URL pointing to some GUID worth put on the acquiring bank internet site.

In this situation, the bank’s web server taken care of the person-equipped URL by hoping to call the URL itself, letting for a SSRF in which the web server however tried using to call an arbitrary URL if it was inserted into the code alternatively of the ideal bank’s URL, scientists spelled out.

Exposing the SSRF Flaw

Researchers shown this flaw by forging a malformed ask for that contains their possess area. The relationship coming into their server was manufactured effectively, proving that “the server blindly trusts domains delivered to it in this parameter and issues a ask for to that URL,” they wrote.

Further more, the request that came into their server provided a JWT token used for authentication, which turned out to be a various one particular than the token incorporated in the initial request.

Scientists embedded the new JWT token into a request they’d formerly encountered to an endpoint named “/accounts/account,” which had permitted them to retrieve information from a lender account. This time they returned even more data, they stated.

“The API endpoint acknowledged our new JWT administrative token and pretty gracefully returned a checklist of each and every consumer and its specifics throughout the system,” scientists uncovered.

Striving the request yet again to an endpoint named “/transactions/transactions” with the new token also allowed them to entry a record of all transactions manufactured by every consumer on the banking program, they mentioned.

“This vulnerability is a critical flaw, one particular that fully compromises every single bank person,” scientists mentioned. “Had lousy actors learned this vulnerability, they could have brought on really serious injury for both equally [the organization] and its users.”

Salt Labs hopes that shining a light-weight on API threats will encourage security practitioners to choose a closer glance at how their programs might be susceptible in this way, Balmas reported.