Security News > 2022 > April > Fintech platform flaw could have allowed bank transfers, exposed data
Salt Security spotted a vulnerability in a large fintech company's digital platform that would have granted attackers admin access to banking systems in addition to allowing them to transfer funds to their own accounts.
"This vulnerability is a critical flaw, one that completely compromises every bank user," Yaniv Balmas, vice president of research at Salt, an API security firm, told The Register.
Salt Labs researchers declined to name the fintech company, saying only that it is based in the United States and that its online banking services platform is used by dozens of banks and other financial institutions that collectively serve hundreds of thousands of US customers.
The threat of such attacks increases as more banks partner with fintech providers and shift their traditional services online, a trend that only accelerated during the COVID-19 pandemic, according to Balmas.
In this case, the Salt Labs researchers focused on external interactions of one bank's websites that rely on the fintech platform.
The researchers were able to manipulate the APIs in the platform and the JWT tokens - cryptographically signed keys that lets the bank's server know who the requesting user is and what permissions they have - to establish a connection between that server and one run by Salt Labs.