Researchers discovered the vulnerability in an API already integrated into many bank systems, which could have defrauded millions of users by giving attackers access to their funds.
A server-side request forgery (SSRF) flaw in an API of a large financial technology (fintech) platform potentially could have compromised millions of bank customers, allowing attackers to defraud clients by controlling their bank accounts and funds, researchers have found.
A team at Salt Security’s Salt Labs identified the vulnerability in an API in a web page that supports the organization’s platform fund transfer functionality, which allows clients to transfer money from their accounts on its platform into their bank accounts, researchers disclosed in a report published Thursday.
The company in question—dubbed “Acme Fintech” to preserve its anonymity–offers a “digital transformation” service for banks of all sizes, allowing the institutions to switch traditional banking services to online services. The platform already has been actively integrated into many banks’ systems and thus has millions of active daily users, researchers said.
If the flaw had been exploited, attackers could have performed various nefarious activities by gaining administrative access to the banking system using the platform. From there they could have leaked users’ personal