SBN

Coinbase Fixes Vulnerable API that Let You Sell Bitcoin You Didn’t Own

On Friday, February 11th 2022, a security researcher (Tree_of_Alpha on Twitter) discovered a flaw in Coinbase’s new Advanced Trading feature that allowed users to sell cryptocurrencies without owning them. According to the Coinbase blog, the flaw was resolved in a matter of hours without any malicious exploitation. And Coinbase paid Tree of Alpha the largest-ever bug bounty of $250,000.

What was the Coinbase Bug?

Let’s get the details straight from the researcher. Tree of Alpha outlined how they discovered the security flaw in a series of tweets:

How Common are these Types of API Vulnerabilities?

Unfortunately, security issues like this are fairly common, especially with APIs. Many businesses are experiencing a surge in API usage because they are releasing new features (like in the example of Coinbase), modernizing applications, migrating to the cloud, conducting M&A, and connecting to rich partner ecosystems — all of which mean more and more APIs.

One of the biggest challenges around securing APIs is discovery. Enterprises don’t know how many APIs they have, but API discovery is so much more than a number. If you don’t even know how many APIs you have, you don’t know if your APIs have been properly tested or configured. Which APIs are internet facing? Which APIs are communicating sensitive information? These blind spots are where attackers thrive.

One of the properties of API vulnerabilities that makes them so dangerous is how easy it is for a threat actor to identify and exploit these vulnerabilities. To remotely compromise a device (like a laptop or mobile phone) often requires a significant amount of time, resources, and expertise. In contrast, performing unauthorized, unintended transactions using a financial institution’s APIs may not require more than 10 minutes, a browser, and a curious researcher.

How Enterprises Must Proactively Prevent API Security Threats

The first generation of API security tools are reactionary. They simply monitor traffic to look for threats. However, misconfigurations and design flaws often can’t be detected by these tools. When a traffic monitoring tool does recognize unusual patterns, they are reacting to the symptom. The attack has already occurred or is actively occurring, but the tool is blind to what the configuration or design flaw the attackers are exploiting.

This is why bug bounties continue to be a critical tool in the security landscape. The Coinbase bounty is the largest and most recent, but there has been a long history of security researchers helping enterprises identifying significant threats to their APIs, like Sam Curry’s Hacking Starbucks. Enterprises incentivize security researchers to proactively identify problems in production before they are exploited by attackers. 

Identifying API security vulnerabilities as part of the SDLC — before production — is more critical than ever. Noname Security combines “Shift Left” API testing features paired with the industry’s most advanced posture management and runtime security capabilities. Noname is the only solution to proactively secure your environment from API security vulnerabilities, misconfigurations, and design flaws while providing automated detection and response to API attacks.

Learn more about how common API vulnerabilities are in the financial services industry by downloading white paper Hacking Banks and Cryptocurrency Exchanges Through Their APIs by Alissa Knight.

*** This is a Security Bloggers Network syndicated blog from Noname API Security Blog authored by Aner Morag. Read the original post at: https://nonamesecurity.com/blog/coinbase-fixes-vulnerable-api-that-let-you-sell-bitcoin-you-didnt-own