Salt Labs researchers investigated a large financial institution’s online platform that provides API services to thousands of partner banks and financial advisors. As a result of multiple API vulnerabilities, researchers were able to launch attacks where:
1. Any user could read the financial records of any customer
2. Any user could delete any customer’s accounts in the system
3. Any user could take over any account
4. Any user could create a denial-of-service condition that would render entire applications unavailable
Researchers were successful in propagating these attacks, many of which correspond to the OWASP API Security Top 10, and they were able to exploit the following high-severity API security vulnerabilities in the financial services platform:
• broken object level authorization (BOLA)
• broken function level authorization (BFLA)
• susceptibility to parameter tampering
• improper input validation
Throughout the threat research report, researchers have anonymized any technical details of the vulnerability that could identify the organization, so as not to expose the financial entity to any additional risk. They have reviewed these findings with the organization and are sharing the information here to improve awareness around API security by detailing relevant attack patterns, technical details, and mitigation techniques for each vulnerability.