SSRF Flaw in Fintech Platform Allowed for Compromise of Bank Accounts
Salt Security has discovered a vulnerability that lies in the API already integrated into several of bank systems. The flaw could have the potential too, or has already, defrauded millions of users through offering attackers access to their funds. The vulnerability pertains to a server-side request forgery (SSRF) flaw in the Fintech platform. The vulnerability could have already compromised millions of bank customers via the fund transfer functionality. This tool allows clients to transfer money from their personal accounts into their bank accounts. Salt Security released a report on Thursday detailing the threat risk.
The company that may be responsible for the compromise is Acme Fintech, which offers digital transformation services to banks of all sized in order to preserve anonymity. This includes permissions for institutions to switch from traditional online banking services to online services. According to security researchers, the platform has already been effectively integrated into several banks’ systems and therefore may impact millions of users. If exploited, the flaw could lead to attackers gaining admin access. From this stage, they could have leaked personal data, accessed sensitive banking details including financial transactions, and perform unauthorized fund transfers.