"Buggy 'Log in With Google' API Implementation Opens Crypto Wallets to Account Takeover"
Security researchers at Salt Labs found that a cryptocurrency wallet service provider serving over 2 million users worldwide and managing about $3 billion worth of Bitcoin contains API vulnerabilities tied to how external authentication logins were implemented. The researchers stated that the bugs have been fixed, but the discovery illustrates the high stakes involved in securely implementing APIs. The vulnerabilities discovered could have allowed threat actors to take over a large portion of a user's account in the system. The researchers noted that this vulnerability would have given a malicious actor full access and the ability to perform multiple financial actions on behalf of that user, including transferring funds to any location of their choice. The researchers stated that the first bug involved the common feature found in mobile apps that allow users to log in using an external service, like Apple ID, Google, Facebook, or Twitter. In this case, the researchers examined the "log in with Google" option and found that the authentication token mechanism could be manipulated to accept a rogue Google ID as being that of the legitimate user. The second bug discovered by the researchers allowed them to get around two-factor authentication. A PIN-reset mechanism was found to lack rate-limiting, allowing them to mount an automated attack to uncover the code sent to a user's mobile number or email. Yaniv Balmas, vice president of research at Salt, stated that there are two factors that made these vulnerabilities impactful and dangerous. First, it is very easily exploitable, and second, a successful exploitation could lead to millions of dollars, or more, being stolen from personal and business accounts.