A cryptocurrency wallet service provider serving more than 2 million users worldwide and managing about $3 billion worth of Bitcoin was found to contain API vulnerabilities tied to how external authentication logins were implemented.
The bugs are fixed, but the discovery illustrates the high stakes involved in implementing APIs securely, researchers say — and the difficulties in doing so.
According to a report shared with Dark Reading from Salt Labs, the research division of Salt Security, a series of vulnerabilities (CVEs were not assigned) could have allowed actors take over a large portion of a user's account in the system.
This vulnerability would have given a malicious actor full access, along with the ability to perform multiple financial actions on behalf of that user, including the transfer of funds to any location of their choice.
"Once we successfully logged in to a user's accounts, we can potentially use any functionality available to the user, including funds transfer, viewing transactions history, seeing the user's personal data, which might include name, address, bank account number, and other valuable data," Salt researchers note in the report.
The first bug involved the common feature found in mobile apps that allow users to log in using an external service, like Apple ID, Google, Facebook, or Twitter. In this case, the researchers examined the "log in with Google" option — and found that the authentication token mechanism could be manipulated to accept a rogue Google ID as being that of the legitimate user.
The second bug allowed researchers to get around two-factor authentication. A PIN-reset mechanism was found to lack rate-limiting, allowing them to mount an automated attack to uncover the code sent to a user's mobile number or email.
"This endpoint does not contain any sort of rate limiting, user blocking, or temporary account disabling functionality. Basically, we can now run the entire 999,999 PIN options and get the correct PIN within less than 1 minute," according to the researchers.
Each security issue on its own provided limited abilities to the attacker, according to the report. "However, an attacker could chain these issues together to propagate a highly impactful attack, such as transferring the entire account balance to his wallet or private bank account."
Yaniv Balmas, vice president of research at Salt, explains there are two factors that made these vulnerabilities impactful and dangerous.
"First, it is very easily exploitable, and second, a successful exploitation could lead to millions of dollars — or more — being stolen from personal and business accounts," he says.
Poor API Implementations: An Important Object Lesson
As noted, the wallet-provider quickly fixed the API implementations in question, but there are important takeaways from the analysis, Balmas explains. After all, as the entire cryptocurrency market is relatively young, most of the services in this domain are heavily dependent on APIs as part of their core technologies.
"I have yet to see any cryptocurrency service that does not publish some sort of API to ease automated interactions with its functionalities," he says. “This reliance on APIs in turn surfaces another problem."
He explains API are designed to be dynamic and rapidly evolving interfaces for core business functionalities, which is obviously very positive from the user perspective.
"However, this same behavior opens the door for many security issues and vulnerabilities that may go unnoticed," he says. "Hence, we see with great frequency in our research efforts a relatively poor state of API security, sometimes with serious business implications."
API Security Issues a Major Concern as Usage Grows
As agile development grows in popularity, organizations are turning to APIs, resulting in broader attack surfaces more vulnerable to exploitation by threat actors. A recent analysis by application security firm Imperva and risk-strategy firm Marsh McLennan of breaches involving APIs revealed US companies face a combined $12 billion to $23 billion in losses in 2022.
Meanwhile, a March report from Salt Labs found API attacks increased a whopping 681% in the last year, with API attack traffic growing at more than twice the rate of nonmalicious traffic. Again, much of that could be due to implementation and configuration error: In May, for instance, Shadowserver Foundation researchers discovered that 380,000 Kubernetes API servers were open to the public Internet, representing 84% of all global Kubernetes API instances observable online.
API Attack Surface Must Be Tracked, Monitored
Balmas notes another issue with APIs and their nature is that once an API ecosystem gets big, it becomes very hard to have a complete handle on it. With multiple applications and internal services each publishing their own unique sets of APIs, it is very hard for the maintainers sometimes to even know which APIs are published at any given point in time.
"This is why API visibility and consolidation measures are sometimes the very first — and important — step to securing a company's APIs," he says.
Balmas recommends that cryptocurrency platforms, and any other heavy API users, should start paying more attention to the API attack surface that they expose.
"This new attack surface should be carefully tracked and monitored," he adds. "The services behind it should be more carefully reviewed on a periodic basis to make sure no new security issues have been introduced, and behavioral monitoring should be applied on the ongoing traffic to spot anomalies that might be happening in an effort to find and exploit vulnerabilities."