5 lines of code allowed a hacker to steal $25 billion from a bank

A security researcher discovered critical vulnerabilities in a mobile banking application that could have immune anyone to steal as much as $25 billion from a bank. Fortunately for the banking company, the researcher was a white hat hacker who reported the flaws to the bank and helped fix them.

An Indian bank could have lost $25B due to lack of app security

Security researcher Sathya Prakash discovered critical vulnerabilities in the mobile banking app used by one of the biggest Indian banks. He claimed that using these security flaws, he could have stolen over $25 billion from the bank (name of the bank remains undisclosed). However, since he was a white hat hacker, Prakash immediately reached out to the bank and informed them about these security issues in their mobile awarding (who took 12 days to respond to the hacker). The researcher also helped them set the vulnerabilities that could have allowed criminal hackers to steal money from whatever or all of the banking concern'southward customers using just a few lines of code.

Prakash has explained in a blog post that banking app lacked Certificate Pinning which could have allowed a Human-in-the-Middle (MitM) assaulter to downgrade SSL connexion and capture requests in apparently text using fraudulently issued certificates.

I tried to install a cocky-signed certificate, to capture the plain text request/response on Burp, and it worked like a charm. Which ways, no document pinning. Considering this is a mobile cyberbanking awarding, lack of certificate pinning is an epic failure.

What is more than surprising, withal, was the lack of any session invalidation controls on the backend, which meant the session IDs lived forever until the user manually terminated them. He also discovered disquisitional problems in the authentication process that could have been hands exploited by hackers, mimicking customer behavior. Thanks to insecure login session architecture, the flaws immune attackers to perform critical actionson behalf ofvictim account holder, without knowing the countersign. The flaws allowed the hacker to exercise everything a bank customer was able to exercise - transfer funds, have access to account residue, etc.

Then invoking the fund transfer API telephone call straight via Curlicue, bypassed the receiver/beneficiary business relationship validation. I was able to transfer money to accounts that weren't on my casher listing.

Information technology was a matter of five lines of code to enumerate the bank's customer records (Current Account Balance, and Deposits).

Prakash was able to transfer coin from whatever source account to any destination account, which he tested using his parents' accounts. He also claims that even the accounts that don't have mobile or net banking activated were also accessible to him using these flaws. "There were a bunch of hyper critical controls that I wanted to test (Business relationship Residue validation while transferring funds, Fund Transfer Limitation), just that would have been outright illegal. So I had to skip it," Prakash said.

Sadly for him, Prakash didn't receive whatsoever bounty from the target bank even though he helped them set up some major disquisitional bugs. "Information technology took them 12 days to respond to an e-mail maxim 'Hey, your several billion worth deposits are at risk,'" Prakash wrote, "which was stunning."

-Relevant: 100 Criminals Stole $12.vii 1000000 in Hours-Long Japan ATM Heist on a Dominicus Morning

Source: https://wccftech.com/5-lines-of-code-allowed-a-hacker-to-steal-25-billion-from-a-bank/

Posted by: nashtheken.blogspot.com

Share this post