Report: 95% of organizations experienced an API security incident in the past year
We're excited to bring Transform 2022 back in person on July 19 and virtually from July 20-28. Join leaders in AI and data for in-depth discussions and exciting networking opportunities. Sign up today!
API security provider Salt Security has released a new API threat study from Salt Labs that highlights an API security vulnerability discovered on a major online cryptocurrency wallet platform. Serving two million users worldwide and managing over 150,000 bitcoins, worth over $3 billion at the current price of BTC, the platform provides a wide range of services allowing customers to buy and trade cryptocurrencies online. The API security flaw discovered by Salt Labs, related to external authentication logins, could allow large-scale account takeover (ATO) attacks on any customer's account.
Salt Labs researchers discovered the vulnerability in the platform's "User Login" feature, specifically when using Google's authentication feature. Like many external authentication methods, Google uses an OpenID Connect (OIDC) standard, which is an extension of another common authorization standard, OAuth 2.0. The cryptocurrency platform failed to properly implement OIDC, allowing the user authentication ID request to be sent to the application server and not to the OIDC service exclusively.
Salt Labs has studied a series of attacks and, by linking them, researchers could take control of any account in the system using Google Authentication as the login type, which applies to a very large number of system users. Once successfully logged into a user's accounts, researchers could potentially use all of the features available to the user, including transferring funds, viewing transaction history, viewing user's personal data (which may include name, address, bank account number) and other valuable information Data. Salt Security believes the vulnerability could have allowed the theft of hundreds of millions of dollars from cryptocurrency wallets.
According to the report, 95% of organizations experienced an API security incident in the last 12 months. The API ecosystems of cryptocurrency platforms are vast, providing customers with access to their crypto wallets and allowing them to easily buy, trade, borrow, and earn additional cryptocurrencies. The cryptocurrency platform evaluated by Salt Labs was susceptible to two common API issues: security misconfiguration (API-7) and lack of resources and rate limiting (API-4).
EventTransform 2022
Join us at the leading Applied AI event for enterprise business and technology decision makers on July 19 and virtually July 20-28.
register hereThis latest Salt Labs study of this encryption platform demonstrates that API security is a critical part of any modern service, and should be carefully considered and addressed as part of the design of service. Improper implementation and misconfiguration of API-related features can have serious consequences and sometimes even completely break security solutions considered industry standard or "bulletproof".
Salt...
We're excited to bring Transform 2022 back in person on July 19 and virtually from July 20-28. Join leaders in AI and data for in-depth discussions and exciting networking opportunities. Sign up today!
API security provider Salt Security has released a new API threat study from Salt Labs that highlights an API security vulnerability discovered on a major online cryptocurrency wallet platform. Serving two million users worldwide and managing over 150,000 bitcoins, worth over $3 billion at the current price of BTC, the platform provides a wide range of services allowing customers to buy and trade cryptocurrencies online. The API security flaw discovered by Salt Labs, related to external authentication logins, could allow large-scale account takeover (ATO) attacks on any customer's account.
Salt Labs researchers discovered the vulnerability in the platform's "User Login" feature, specifically when using Google's authentication feature. Like many external authentication methods, Google uses an OpenID Connect (OIDC) standard, which is an extension of another common authorization standard, OAuth 2.0. The cryptocurrency platform failed to properly implement OIDC, allowing the user authentication ID request to be sent to the application server and not to the OIDC service exclusively.
Salt Labs has studied a series of attacks and, by linking them, researchers could take control of any account in the system using Google Authentication as the login type, which applies to a very large number of system users. Once successfully logged into a user's accounts, researchers could potentially use all of the features available to the user, including transferring funds, viewing transaction history, viewing user's personal data (which may include name, address, bank account number) and other valuable information Data. Salt Security believes the vulnerability could have allowed the theft of hundreds of millions of dollars from cryptocurrency wallets.
According to the report, 95% of organizations experienced an API security incident in the last 12 months. The API ecosystems of cryptocurrency platforms are vast, providing customers with access to their crypto wallets and allowing them to easily buy, trade, borrow, and earn additional cryptocurrencies. The cryptocurrency platform evaluated by Salt Labs was susceptible to two common API issues: security misconfiguration (API-7) and lack of resources and rate limiting (API-4).
EventTransform 2022
Join us at the leading Applied AI event for enterprise business and technology decision makers on July 19 and virtually July 20-28.
register hereThis latest Salt Labs study of this encryption platform demonstrates that API security is a critical part of any modern service, and should be carefully considered and addressed as part of the design of service. Improper implementation and misconfiguration of API-related features can have serious consequences and sometimes even completely break security solutions considered industry standard or "bulletproof".
Salt...
What's Your Reaction?
