"SSRF Flaw in Fintech Platform Allowed for Compromise of Bank Accounts"

A team of researchers at Salt Security's Salt Labs discovered a Server-Side Request Forgery (SSRF) flaw in the Application Programming Interface (API) of a large financial technology (fintech) platform. The flaw could have compromised millions of bank customers, with attackers being able to use the vulnerability to defraud clients by taking over their bank accounts and funds. According to the team, the vulnerability was identified in an API in a web page that supports the company's platform fund transfer functionality. The company in question provides a digital transformation service for banks of all sizes, thus allowing institutions to transition from traditional banking services to online services. The platform is already integrated into many bank systems, so it has millions of active users every day. The exploitation of the SSRF flaw could have allowed attackers to perform various malicious activities by gaining administrative access to the banking system using the platform. From there, the attackers could have exposed users' personal data, accessed banking details, leaked financial transactions, performed unauthorized fund transfers into their own bank accounts, and more. This article continues to discuss the discovery, potential impact, and mitigation of the SSRF flaw in the fintech platform. 

Threatpost reports "SSRF Flaw in Fintech Platform Allowed for Compromise of Bank Accounts"