SSRF Flaw in Fintech Platform Allowed for Compromise of Bank Accounts

2022-04-07 13:46

A server-side request forgery flaw in an API of a large financial technology platform potentially could have compromised millions of bank customers, allowing attackers to defraud clients by controlling their bank accounts and funds, researchers have found.

A team at Salt Security's Salt Labs identified the vulnerability in an API in a web page that supports the organization's platform fund transfer functionality, which allows clients to transfer money from their accounts on its platform into their bank accounts, researchers disclosed in a report published Thursday.

If the flaw had been exploited, attackers could have performed various nefarious activities by gaining administrative access to the banking system using the platform.

"Critical SSRF flaws are more common than many FinTech providers and banking institutions realize," Yaniv Balmas, vice president of research for Salt Security said in a press statement.

"Two, if a bad actor can successfully abuse this type of platform, the potential profits are huge, since it could allow control of millions of users' bank accounts and funds."

Researchers embedded the new JWT token into a request they'd previously encountered to an endpoint named "/accounts/account," which had allowed them to retrieve information from a bank account.

News URL

https://threatpost.com/ssrf-flaw-fintech-bank-accounts/179247/

#bank #compromise #fintech #ssrf