[Writeup] How i prevented a bank from getting robbed



This story is about a loophole in an Online Banking website which could have allowed an attacker to steal funds from any customer account. After discovering this issue i immediately got in touch with the bank's security team and coordinated till a patched for this loophole was released. In this writeup i can't share the exact technical details about how i exploited the issue on the target website but i can give you a generalized idea of what went wrong and how it could have been exploited. 

Abstract: 
There was a bug in the forget password module of a netbanking website by exploiting which an attacker could have updated any customer's netbanking account password to his desired value.

To understand the exploit, we first need to understand how password recovery works on the target bank's website.

Here is normal flow of password recovery process which can be initiated by visiting the forget password page:


To recover a forgotten password on the netbanking website a customer has to follow this following process:

Step 1: Identify account using customer id.
Step 2: Submit an OTP( One Time Password) which will be sent via SMS & Email.
Step 3: Set a new password.

After following this process customer's password will be updated.

During my research, I found out that the webpage at "Step 3" was not validating if the customer has completed "Step 2" (OTP Verification).

The Exploit:

To exploit this issue and attacker has to complete "Step 1" -> Generate a Session ID -> Submit this Session ID to "Step 3" endpoint along with the new password which wants to be set for the account.

After making the post request the customer's netbanking password will be updated. Since the customer ID's on the netbanking website were numerical an attacker could have made an script that will reset every netbanking account's password and transfer funds out of it. 

At the end of the day this incident was a good test of my hacker ethics and taught me lessons which i will carry on throught my life. 

Thanks for reading & hack for good :)

Amit Sangra

Author & Editor

Amit is a Security Engineer acknowledged by Google, Apple, Microsoft, eBay, Intel and other top companies for reporting security issues in their web services.

2 comments:

  1. Live vendor tables are hosted by engaging and chatty presenters 카지노 find a way to|you possibly can} work together with in real-time, Moreover, tables are open 24/7, might be} a|and there's a} slew of normal and VIP variants on supply. This means the best, most immersive reside vendor tables in existence will be at your disposal. The hottest Evolution tables are Blackjack Party, Deal or no Deal, and Immersive Roulette. Customer help is one other integral issue in the Korean on line casino online equation.

    ReplyDelete
  2. Keep checking the games collection, as we all the time work to supply the best slots to enhance your gaming expertise. Blackjack is a card game played between SM카지노 the house and the participant. The supplier offers out two cards to every participant and themselves.

    ReplyDelete

 
biz.