A guide: How to effectively pentest Plaid’s web applications & APIs?

We recently announced our new and improved bug bounty program and to make it easier, we’ve outlined some of our web applications and APIs that security researchers like you can test as part of Plaid’s Bug Bounty program. The goal of this post is to help security researchers understand how they can test various Plaid products.

Within this post, we discuss the following web applications & APIs:

• Plaid APIs - https://plaid.com/docs/api/

• Plaid Portal - https://my.plaid.com

• Plaid Developer Dashboard - https://dashboard.plaid.com

• Plaid Link - https://plaid.com/docs/link/

The two web applications / SPAs, viz. Plaid Consumer Portal and Plaid Developer Dashboard are straightforward and intuitive. Security researchers generally find it easy to pentest these applications. Plaid APIs, on the other hand, can be confusing to researchers who haven’t read the API docs. The API endpoints have quite a lot of business logic attached to them and our customers use these APIs to build their financial apps.

The sections below list application information and some security test cases.

Plaid Portal

The Plaid Portal allows end-users like you and I to view and manage connections made to our bank accounts through Plaid on apps like Betterment, Chime, Venmo, etc. Users just need an email address and a mobile number to create an account on this portal. Mobile number is required since Plaid uses it to check if you have connected any financial accounts to apps using Plaid.

Security test cases:

• Cross-account attacks (ex. user A being able to view or modify user B’s financial data)

• Second order XSS / SQL injection via registration form which affects other end-users

Plaid Developer Dashboard

The developer Dashboard allows Plaid’s customers (think Betterment, Chime, Venmo, etc.) or individual developers / researchers (like you and I) to manage their teams, users, API keys, etc. Users just need an email address to create an account on this dashboard. MFA is optional and can be enabled through the Security tab under User Profile.

Security test cases:

• Cross-account attacks (ex. customer A being able to view customer B’s API keys)

• Bypass production vetting process and get access to production API keys

• RCE by uploading and executing malicious code through Support functionality

Plaid APIs

Plaid offers a variety of API endpoints that interact with Plaid products including Transactions, Auth, Balance, etc. Full list of products here. Our customers can use one or more of these products to build their apps or products. For example, a developer / customer who is building a budgeting app may use the Transactions endpoint to enable a user to share transaction data from their Checking, Savings and/or Credit Card accounts, etc. and perform calculations to tell a user whether they are staying within their weekly or monthly budget.

Plaid has three environments: Sandbox, Development, and Production. From a security testing perspective, Sandbox environment is generally a good place to start. To interact with the APIs, create an account on the Plaid Developer Dashboard and retrieve client ID & secret under Team Settings -> Keys.

Plaid offers a Postman Collection as a convenient tool for exploring Plaid API endpoints without writing code. The Postman Collection provides pre-formatted requests for almost all of Plaid's API endpoints. All you have to do is fill in your API keys and any arguments. Parameter values in some of the API requests depend on values retrieved through responses of other API requests. Consider this scenario where an access token needs to be rotated through /item/access_token/invalidate endpoint. This endpoint takes in the following parameters:

{

   "client_id": "{{client_id}}",

   "secret": "{{secret_key}}",

   "access_token": "ENTER_ACCESS_TOKEN_HERE"

}

A valid access_token value is needed for the endpoint to invalidate it. An access_token can be obtained by calling the /item/public_token/exchange endpoint. This endpoint takes in the following parameters:

{

 "client_id": "{{client_id}}",

 "secret": "{{secret_key}}",

 "public_token": "ENTER_PUBLIC_TOKEN_HERE"

}

A valid public_token value is needed for the endpoint to respond with an access_token. A public_token can be obtained by calling the /sandbox/public_token/create endpoint. This endpoint takes in the following parameters:

{

 "client_id": "{{client_id}}",

 "secret": "{{secret_key}}",

 "institution_id": "ins_3",

 "initial_products": ["auth"],

 "options": {

   "webhook": "https://www.genericwebhookurl.com/webhook"

 }

}

Apart from fairly static parameters like institution_id, initial_parameters, and options, this request requires client_id and secret which can be obtained from Plaid Developer Dashboard.

To summarize, in order for a security researcher to effectively test the /item/access_token/invalidate endpoint, they will need to perform the following actions:

1. Call /sandbox/public_token/create endpoint to create a public_token

2. Use public_token created in step 1 as an input to the /item/public_token/exchange endpoint to create an access_token

3. Use access_token created in step 2 as an input to the /item/access_token/invalidate endpoint to rotate it

Business logic can be tested at all 3 steps mentioned above, and blindly fuzzing or scanning these endpoints will not be as effective.

This was a simple example. Most endpoints under products like Auth, Balance, Assets, Bank Transfers, etc. may require security researchers to call more than 3 endpoints to effectively test them. 

Security test cases:

• Unauthorized data access (ex. leak or dump data such as transactions, liabilities, income, etc. for other users)

• A malicious actor switches a user’s direct deposit information to redirect salary / money deposited into the attacker’s bank account

Plaid Link

This is the client-side component that users interact with in order to link their financial accounts through Plaid to their chosen apps. This is the component that pops up when users attempt to connect their bank accounts to apps like Betterment, Chime, Venmo, etc. Plaid Link handles credential validation, multi-factor authentication, and error handling for institutions that don’t use an OAuth flow. Some institutions use an OAuth authentication flow, in which Plaid Link redirects the end user to their bank's website or mobile app to authenticate. Link works across all modern browsers and platforms, including web, iOS, Android, as well as via React Native and mobile webviews. More details about inner workings of Plaid Link can be found in the documentation.

Security test cases:

• Client-side XSS escalated to steal user’s credentials or financial data

• Exploit Plaid Link to steal access tokens associated with a different user