Millions could have been impacted by flaw in fintech platform

Millions of banking customers could have had their accounts compromised by the exploitation of a server-side request forgery vulnerability in a major financial technology platform's API, Threatpost reports. The flaw was discovered by Salt Security's Salt Labs within the API of a web page of the fintech firm's fund transfer and could have been abused to expose users' personal information, banking data, and financial transactions, as well as execute unauthorized transferring of funds. "This vulnerability is a critical flaw, one that completely compromises every bank user. Had bad actors discovered this vulnerability, they could have caused serious damage for both [the organization] and its users," said researchers. Malicious API traffic has been increasing in prevalence, with 5% of organizations reporting API security incidents over the past year, according to a Salt Security report last quarter. "Critical SSRF flaws are more common than many FinTech providers and banking institutions realize. API attacks are becoming more frequent and complex," said Salt Security Vice President of Research Yaniv Balmas.