Researchers Find Major Flaw in Banking Platform Potentially Affecting Millions

A cybersecurity research team discovered a significant vulnerability in a financial services platform that has already been implemented in a large number of banking systems.

The team with Salt Labs discovered a major flaw in the API used by the financial platform. The exploit was a server-side request forgery or SSRF. If it had been successfully exploited, the flaw could have led to a potential disaster, allowing threat actors to drain the bank accounts of millions of users.

Flaw could allow hackers admin access

The flaw was discovered in a page containing functionality that allows customers of the financial services platform to move money from their platform wallets to their bank accounts.

The company that owns and controls the financial service platform was not named but is described as one that offers services that allow banks to move from traditional to online banking. According to the research team at Salt Labs, there are currently millions of people who use that platform.

The issue discovered was significant enough to be able to give potential threat actors admin access to the bank that chose to implement the platform in question. Once such a high level of privileged access is obtained, the sky's the limit. Hackers could have abused this in many ways, from draining customer accounts to stealing their personally identifiable information and accessing information about past transactions.

The vulnerability was discovered while the researchers were monitoring traffic across the unnamed company's website. There, they intercepted a fault within the API called up by the browser to deal with requests.

Bad parameter handling at the root of the flaw

The exploit allowed to insert code inside a parameter in the page and then have the API contact the new, arbitrary domain URL instead of the one provided by the banking institution using the platform.

As proof of the vulnerability, Salt Labs doctored a bad request, replacing the domain of the banking institution with their own, then receiving the connection on their end. In short, this proved that the server never checks the domain string and "trusts" whatever it receives in the InstitutionURL parameter, allowing for tampering.

According to the research team, flaws and vulnerabilities residing in APIs are commonly overlooked, even though they can be abundant across the sea of APIs that are actively used.