![]() ![]() API Security Vulnerabilities Affect All EnterprisesĪPI usage has surged into a sprawl for businesses of all shapes and sizes. One of the banks tested outsourced the development of their code the developer reused that same vulnerable code across hundreds of other banks allowing the same attacks to be employed against those other bank targetsĮnterprises across all verticals can learn from Alissa Knight’s research.100% of the APIs tested were vulnerable to Broken Authentication vulnerabilities allowing Knight to perform API requests on other bank customer accounts without authenticating.100% of the APIs tested were vulnerable to Broken Object Level Authorization (BOLA) vulnerabilities allowing Knight to change the PIN code of any bank customer’s Visa ATM debit card number or transfer money in/out of accounts.All 55 apps tested were vulnerable to woman-in-the-middle (WITM) attacks, allowing Knight to intercept and decrypt the encrypted traffic between the mobile apps and backend APIs.54 of the 55 mobile apps that were reverse engineered contained hardcoded API keys and tokens including usernames and passwords to third-party services. ![]() In her presentation, Alissa revealed that she was able to gain access to 55 different banks and change PIN codes and move money in and out of accounts.īelow are the key findings from the press release. Ethical hacker Alissa Knight opened the eyes of the banking industry yesterday in her Money 20/20 keynote presentation entitled “Scorched Earth: Hacking Bank APIs”. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |