News

Investigator had access to all Indian bank accounts due to system leak

By admin
Spread the love

Security researcher Sathya Prakash Kadhirvelan discovered multiple vulnerabilities in a mobile banking app from a major Indian bank. As a result, he was able to access information about any account and transfer money between any bank account.

The researcher writes that his own bank released a mobile banking app at the end of 2015, after which he decided to take a closer look. The first vulnerability he found was the bank’s failure to use certificate pinning, which allowed him to use a self-signed certificate and intercept traffic. In addition, the bank used an outdated protocol to establish a secure connection, namely SSL 3.0.

By analyzing the behavior of the app, the researcher then discovered that it performs a check on startup to find out whether a new version is available. From that request he was able to determine a session id, which after some investigation showed that it never expired. In addition, it was possible to request information from a bank account, such as the balance, via this ID without authentication.

The researcher was also able to transfer money to and from random accounts via a curl request, because the app did not check whether the necessary customer ID and pin came from the party sending the money, but only checked the relationship between the two. So he could use his own customer ID for payment requests from other accounts.

He tried this out with family members’ accounts and was indeed able to transfer money, even though a particular account was not registered for internet banking at all. The bank did send an SMS notification with a payment request, but found out the phone number by checking the customer ID. As a result, the notification was sent to the potential attacker, not the victim.

After the investigator informed the bank of his findings in November 2015, it took 12 days to receive a response. In it, the bank promised to implement the improvements it proposed, such as the use of TLS. The question of whether a bug bounty program exists and when the improvements will be made has not yet been answered, the researcher writes. According to his own calculations based on public information from the bank, he had access to an estimated $25 billion.

You might also like
News

Rumor: Apple is working on its own applications based on a large language model

News

EU Council determines position on security requirements for digital products

News

Citrix warns of critical vulnerability in NetScaler ADC and Gateway

News

Meta introduces open source language model Llama 2, works on PCs and phones

News

Telegram has over 800 million active users and is not yet profitable

News

Xbox Community CEO Larry ‘Major Nelson’ Hryb is leaving Microsoft after…