Buggy Log in With Google API Implementation Opens Crypto Wallets to Account Takeover

  /     /     /  
Publicated : 23/11/2024   Category : security


Buggy Log in With Google API Implementation Opens Crypto Wallets to Account Takeover


Improper implementations of authentication APIs at a global crypto wallet service provider could have resulted in the loss of account control — and millions of dollars — from personal and business accounts.



A cryptocurrency wallet service provider serving more than 2 million users worldwide and managing about $3 billion worth of Bitcoin was found to contain API vulnerabilities tied to how external authentication logins were implemented. 
The bugs are fixed, but the discovery illustrates the high stakes involved in implementing APIs securely, researchers say — and the difficulties in doing so.
According to a report shared with Dark Reading from Salt Labs, the research division of Salt Security, a series of vulnerabilities (CVEs were not assigned) could have allowed actors take over a large portion of a users account in the system.
This vulnerability would have given a malicious actor full access, along with the ability to perform multiple financial actions on behalf of that user, including the transfer of funds to any location of their choice.
Once we successfully logged in to a users accounts, we can potentially use any functionality available to the user, including funds transfer, viewing transactions history, seeing the users personal data, which might include name, address, bank account number, and other valuable data, Salt researchers note in the report.
The first bug involved the common feature found in mobile apps that allow users to log in using an external service, like Apple ID, Google, Facebook, or Twitter. In this case, the researchers examined the log in with Google option — and found that the authentication token mechanism could be manipulated to accept a rogue Google ID as being that of the legitimate user.
The second bug allowed researchers to get around two-factor authentication. A PIN-reset mechanism was found to lack rate-limiting, allowing them to mount an automated attack to uncover the code sent to a users mobile number or email.
This endpoint does not contain any sort of rate limiting, user blocking, or temporary account disabling functionality. Basically, we can now run the entire 999,999 PIN options and get the correct PIN within less than 1 minute, according to the researchers.
Each security issue on its own provided limited abilities to the attacker, according to the report. However, an attacker could chain these issues together to propagate a highly impactful attack, such as transferring the entire account balance to his wallet or private bank account.
Yaniv Balmas, vice president of research at Salt, explains there are two factors that made these vulnerabilities impactful and dangerous.
First, it is very easily exploitable, and second, a successful exploitation could lead to millions of dollars — or more — being stolen from personal and business accounts, he says.
As noted, the wallet-provider quickly fixed the API implementations in question, but there are important takeaways from the analysis, Balmas explains. After all, as the entire cryptocurrency market is relatively young, most of the services in this domain are heavily dependent on APIs as part of their core technologies.
I have yet to see any cryptocurrency service that does not publish some sort of API to ease automated interactions with its functionalities, he says. “This reliance on APIs in turn surfaces another problem.
He explains API are designed to be dynamic and rapidly evolving interfaces for core business functionalities, which is obviously very positive from the user perspective.
However, this same behavior opens the door for many security issues and vulnerabilities that may go unnoticed, he says. Hence, we see with great frequency in our research efforts a relatively poor state of API security, sometimes with serious business implications.
As agile development grows in popularity, organizations are turning to APIs, resulting in broader attack surfaces
more vulnerable to exploitation
by threat actors. A
recent analysis
by application security firm Imperva and risk-strategy firm Marsh McLennan of breaches involving APIs revealed US companies face a combined $12 billion to $23 billion in losses in 2022.
Meanwhile, a March
report
 from Salt Labs found API attacks increased a whopping 681% in the last year, with API attack traffic growing at more than twice the rate of nonmalicious traffic. Again, much of that could be due to implementation and configuration error: In May, for instance, Shadowserver Foundation researchers
discovered
that 380,000 Kubernetes API servers were open to the public Internet, representing 84% of all global Kubernetes API instances observable online.
Balmas notes another issue with APIs and their nature is that once an API ecosystem gets big, it becomes very hard to have a complete handle on it. With multiple applications and internal services each publishing their own unique sets of APIs, it is very hard for the maintainers sometimes to even know which APIs are published at any given point in time.
This is why API visibility and consolidation measures are sometimes the very first — and important — step to securing a companys APIs, he says.
Balmas recommends that cryptocurrency platforms, and any other heavy API users, should start paying more attention to the API attack surface that they expose.
This new attack surface should be carefully tracked and monitored, he adds. The services behind it should be more carefully reviewed on a periodic basis to make sure no new security issues have been introduced, and behavioral monitoring should be applied on the ongoing traffic to spot anomalies that might be happening in an effort to find and exploit vulnerabilities.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Buggy Log in With Google API Implementation Opens Crypto Wallets to Account Takeover