A cryptocurrency wallet service provider serving more than 2 million users worldwide and managing about $3 billion worth of Bitcoin was found to contain API vulnerabilities tied to how external authentication logins were implemented. The bugs are fixed, but the discovery illustrates the high stakes involved in implementing APIs securely, researchers say — and the difficulties in doing so. According to a report shared with Dark Reading from Salt Labs, the research division of Salt Security, a series of vulnerabilities (CVEs were not assigned) could have allowed actors take over a large portion of a user’s account in the system. This vulnerability would have given a malicious actor full access, along with the ability to perform multiple financial actions on behalf of that user, including the transfer of funds to any location of their choice. “Once we successfully logged in to a user’s accounts, we can potentially use any functionality available to the user, including funds transfer, viewing transactions history, seeing the user’s personal data, which might include name, address, bank account number, and other valuable data,” Salt researchers note in the report.
Read more : Buggy ‘Log in With Google’ API Implementation Opens Crypto Wallets to Account Takeover.