A security researcher discovered critical vulnerabilities in a mobile banking application that could have allowed anyone to steal as much as $25 billion from a bank. Fortunately for the bank, the researcher was a white hat hacker who reported the flaws to the bank and helped fix them.
An Indian bank could have lost $25B due to lack of app security
Security researcher Sathya Prakash discovered critical vulnerabilities in the mobile banking app used by one of the biggest Indian banks. He claimed that using these security flaws, he could have stolen over $25 billion from the bank (name of the bank remains undisclosed). However, since he was a white hat hacker, Prakash immediately reached out to the bank and informed them about these security issues in their mobile application (who took 12 days to respond to the hacker). The researcher also helped them fix the vulnerabilities that could have allowed criminal hackers to steal money from any or all of the bank's customers using just a few lines of code.
Prakash has explained in a blog post that banking app lacked Certificate Pinning which could have allowed a Man-in-the-Middle (MitM) attacker to downgrade SSL connection and capture requests in plain text using fraudulently issued certificates.
I tried to install a self-signed certificate, to capture the plain text request/response on Burp, and it worked like a charm. Which means, no certificate pinning. Considering this is a mobile banking application, lack of certificate pinning is an epic failure.
What is more surprising, however, was the lack of any session invalidation controls on the backend, which meant the session IDs lived forever until the user manually terminated them. He also discovered critical issues in the authentication process that could have been easily exploited by hackers, mimicking customer behavior. Thanks to insecure login session architecture, the flaws allowed attackers to perform critical actions on behalf of victim account holder, without knowing the password. The flaws allowed the hacker to do everything a bank customer was able to do - transfer funds, have access to account balance, etc.
So invoking the fund transfer API call directly via CURL, bypassed the receiver/beneficiary account validation. I was able to transfer money to accounts that weren’t on my beneficiary list.
It was a matter of 5 lines of code to enumerate the bank’s customer records (Current Account Balance, and Deposits).
Prakash was able to transfer money from any source account to any destination account, which he tested using his parents' accounts. He also claims that even the accounts that don't have mobile or internet banking activated were also accessible to him using these flaws. "There were a bunch of hyper critical controls that I wanted to test (Account Balance validation while transferring funds, Fund Transfer Limitation), but that would have been outright illegal. So I had to skip it," Prakash said.
Sadly for him, Prakash didn't receive any bounty from the target bank even though he helped them fix some major critical bugs. "It took them 12 days to respond to an e-mail saying 'Hey, your several billion worth deposits are at risk,'" Prakash wrote, "which was stunning."