Saturday 11 May 2019

Bank Vulnerability : Accessing Account Information of Other Users One in the Top 5 Private Bank Vulnerability -

"Saga Of "One of the Top 5 Private Bank Vulnerability - Accessing Account Information of Other Users

This disclosure is regarding a vulnerability which left Remain Open Till 5 Months Even after a Reporting to Bank Officials. God known wether this was actively exploited or not but that was something serious which bank should take care but they did not till 10th May I asked them again about the status.

I have found on "One of the Top 5 Bank" iPad Version application end of the last year Nov 23rd 2018 which is fixed on  10th May 2019.

That vulnerability was allowing an intruder to access other user bank account information like there Total Balance, Last Transactions, PPF Balance other information as well.

On Nov 22nd 2018 I was doing my bug bounty research at home on iOS applications; and on the same iPad Bank Mobile app was installed which I used for my daily banking transactions since 5 years I had opened my account. In the evening I need to pay my bills so I accessed the Bank Mobile app and paid my bills, meanwhile my proxy was by default configured; I Noticed an interesting parameter of account number. I just change this to something else I was able to access information of other that account.

I immediately call to customer care but unfortunately not able to connect with them So I sent them an email.(Airtel Network Sucks SomeTime)

Next day 24th Nov I got a call form customer care team and they asked me to share the information on their email(That email was looks like common one which might be accessible to all the customer executive team) I asked them to pass me an individual person email who can handle and to prevent this issue get known by everyone in their team but but they insist me to share on this and I did too with a Private POC Video!

On Nov 28th I asked them for an update and on the same day they replied with an email and said I need to uninstall and install the app again and I need to share the error message etc etc. I shared the Video last time and they guys was keep asking me for the error screen shot.

After all these 4 to 5 email and call communication with their customer care team I understood they are not understanding my email or either I am making a mistake while explaining them.

Due to Criticality of the issue I decided to connect some one from your security team directly over the linkedIN and coincidently I found a Senior Person from their team On Nov 28th 2018 I explained him all the details and sent an email to their official Email with screen shots and Video.


Just Next Day On Nov 29th I received a TradeMark Complaint on Youtube Channel( Youtube Strike Notice ) saying I have used "BankLogo In my Video without permission etc. etc. 

I was Like I am helping you out and your team is sending me Strike Notice. If I do not drop/takedown the video in 48hours, my channel will be shut down. For my safety I did this and taken down the video.
Lets continue-------

Due to Critical Severity of the Issue I was in though that this vulnerability will get fix on next day and within a few hours. On Dec 9th 2018 I asked him for the update regarding the fixes I did not got any reply. 
Next day I forgot that thing Because I was in preparation for my marriage(Shopping, Grooming etc 😛) 

In the Feb I come back to my work and was trying to get recover from shock of marriage 😅 and I came across on Same LinkedIn chat in the Morning on 9th May 2019 I asked him for an update again but no reply. I immediately checked and Shocked that vulnerability was still open.

At the same time I sent an email to that person saying that there is no response from 5 months and I just check and vulnerability is still open.

On 10th May 2019 evening I got a message over linked someone from their team asking me mobile number, I shared and we spoke; He asked me to check again for the vulnerability. I was in office so asked him I will update him once I reached home.

In the night I checked and found that iPad Mobile Application is now forcing me to update its version to iPhone version. Its look like they have made some changes in their Initial API Call to prevent using iPad API/Web-Service anymore.

I cant not share the video because its content lots of Sensitive Information but I have sorted some POCs which is will not disclosed any sensitive information.

a .  Below in the right we can see account ending 61 total balance is 164800. In the left side you can see I am accessing account balance of ending account with 62 which have total balance of 144XX.XX

Similar to previous one In the left side you can see I am accessing account balance of ending account with 63 which have total balance of 102XX.XX

According their team iPad was launch on 2015 but later its withdrawn due to requirement of SIM to enable on Device. Its looks like the app was a legacy one and found left to get it updated.
Here is the timeline of the disclosure.
1) Nov 23rd 2018 - Communicated to Customer Care Team
2) Nov 28th 2018 - Was Communicated to Customer Care Team but they might not understand the issue
3) Nov 28th 2018 - Connected with Some One From "Bank"
4) Dec 9th 2018 - Asked for an update but no response
5) May 9th 2019 -  Asked for the update
6) May 9th 2019 - Rechecked and found the Issues Was open
7) May 10th 2019 - Communicated with Another Person from "Bank" and Confirm the Fixes.




No comments:

Post a Comment