Application programming interface security startup Salt Security Inc. today released new threat research highlighting an API security vulnerability discovered on a large online cryptocurrency wallet platform.
The name of the cryptocurrency wallet platform is not disclosed, but is described as serving 2 million users and providing a wide range of services enabling customers to buy and exchange cryptocurrencies. The API security flaw, tied to external authentication logins, was found to allow potential large-scale account takeover attacks on any customer’s account.
Salt Labs’ researchers found a vulnerability in the “User Login” functionality on the platform when using the Google authentication feature. Google uses a standard OpenID Connect, which is an extension to another common authorization standard, OAuth 2.0. In this case, the unnamed cryptocurrency platform failed to implement OIDC correctly, allowing the user authentication ID request to be sent to the application server, not the OIDC service exclusively.
The vulnerability could have allowed an attacker to transfer account balances to a user’s cryptocurrency wallet or private bank account and take over a large portion of a user’s account in the system. Ultimately, an attacker could gain complete access to a user’s account and transfer funds to any location of their choice, as well as perform any other financial activities on behalf of that user.
Upon discovering the vulnerability, Salt Labs’ researchers followed standard disclosure practices in contacting the affected cryptocurrency wallet provider about the issue. The API vulnerability has since been remediated.
Had hackers uncovered the vulnerability before it was remedied, the risk to users would have been very real. In late June, more than $100 million in cryptocurrency was stolen from Horizon Bridge, a blockchain bridge service by Harmony.
“Cryptocurrency platforms rely on APIs for the data connectivity that powers their online services,” Yaniv Balmas, vice president of research at Salt Security, said in a statement. “The Salt Labs research demonstrates the dangers that an API misconfiguration can cause and highlights the need for stronger visibility into these vast API ecosystems in order to protect critical services and customers’ valuable data. Even a minor security flaw holds the potential to devastate a business.”
Salt Security was last in the news in February when it raised $140 million in new funding on a valuation of $1.4 billion. Investors in the round included CapitalG, Sequoia Capital, Y Combinator, Tenaya Capital, S Capital VC, Advent International, Alkeon Capital and DFJ Growth.