Researchers on Thursday reported that they found substantial API vulnerabilities in a major financial technology platform that could let attackers gain administrative access to the online systems of banks that work closely with the fintech, leak the personal customer data, access banking details and financial transactions, and perform unauthorized funds transfers.
In a blog by Salt Security, the researchers said the vulnerabilities were mainly caused by a server-side request forgery (SSRF), a common type of web vulnerability where attackers gain access to or modify server resources. The fintech platform has been integrated into the online systems at many banks and its services are used by millions of people.
The researchers said these type of fintech platforms have becomes prized targets for attackers for two reasons: First, their API landscape and overall functionality is very rich and complex, which leaves a lot of room for mistakes or overlooking details in development. Second, if a bad actor can abuse this type of platform, the potential profits are huge, since it could allow control of millions of user bank accounts and funds.
Joseph Carson, chief security scientist and advisory CISO at Delinea, added that many attackers want to get away with a crime that targets a highly visible financial services sector company as this would create a lot of noise and retaliation. Carson said the reason there have been so many breaches in the financial services industry over the past few years comes down to three major factors: human factors, identities and credentials, and vulnerabilities.
“In today’s digital era, most people are sharing more information via the cloud, ultimately causing themselves to be more exposed to attacks,” Carson said. “The ultimate goal is to compromise systems to commit financial fraud, or steal identities to access the company that the target was entrusted to protect. When identities are stolen, it provides the attacker with the means to bypass the traditional security perimeter undetected.”