API security company Salt Security released new API vulnerability research that details a Server-Side Request Forgery (SSRF) flaw discovered in a U.S.-based FinTech company’s digital platform. The FinTech platform provides a wide range of digital banking services to hundreds of banks and millions of customers.

The API security vulnerability could have allowed administrative account takeover (ATO). Bad actors could have used the flaw to launch attacks to:

• Gain administrative access to the banking system
• Access users’ banking details and financial transactions
• Leak users’ personal data
• Perform unauthorized funds transfers into bad actors’ bank accounts

The SSRF flaw was already actively integrated into many of the FinTech company’s systems and had the potential to compromise every user account and transaction data served by its customer banks. While all issues are now remediated, an abuse of this platform could have enabled attackers to control millions of users’ bank accounts and funds, resulting in significant financial losses and theft, fraud, and reputational damage.

“Critical SSRF flaws are more common than many FinTech providers, and banking institutions realize. Had bad actors discovered this vulnerability, they could have caused serious financial damage to all parties involved,” said Yaniv Balmas, VP of Research, Salt Security. “API attacks are becoming more frequent and complex. Our Salt Labs researchers discover critical vulnerabilities that put entire companies at risk every day. By shining a light on these threats, we seek to continually educate security practitioners about potential vulnerabilities in their systems.”

According to the Salt Security State of API Security Report, Q1 2022, 95% of organizations experienced an API security incident in the past 12 months. Additional research showed significant growth (681%) of malicious API traffic in the same period. The API ecosystems of FinTech and financial service providers are vast, with customers, banks, and credit unions relying on APIs to drive interactions across an intricate network of websites, mobile applications, custom integrations, webhooks, and more. 

The full SSRF vulnerability report, including how Salt Labs conducted the research and steps for mitigation, is available here.