Prakash explained that the exploitation of the flaw allowed him to steal money from any or all bank customers.
Prakash discovered a problem quite common for mobile application, the lack of enforcing for Certificate Pinning that could expose users to man-in-the-middle attacks by using fraudulently issued certificates. At this point, the attacker is able to eavesdrop the traffic and manipulate it in order to carry out fraudulent activities.
“I tried to install a self-signed certificate, to capture the plain text request/response on Burp, and it worked like a charm. Which means, no certificate pinning. Considering this is a mobile banking application, lack of certificate pinning is an epic failure.” Prakash wrote in a blog post.
The expert also discovered a serious issue in the authentication process that could be exploited by hackers to operate on the behalf of the bank customers (i.e. make money transfer, access account balance).
“So invoking the fund transfer API call directly via CURL, bypassed the receiver/beneficiary account validation. I was able to transfer money to accounts that weren’t on my beneficiary list,” explained Prakash. “It was a matter of 5 lines of code [exploit] to enumerate the bank’s customer records (Current Account Balance, and Deposits).”
The expert demonstrated that it is theoretically possible to steal money from any account of the bank. He initially tested his PoC code to make a transaction with his account, he created a request with his customer ID, and MTPIN, but the using a sender account (6254) did not belong to him.
Just 13 line of code to automate the bank hack.
Prakash discovered that the mobile app did not check the customer ID or Transaction Authorisation PIN (MTPIN) that are essential information for operations like fund transfers.
The hacker explained to Motherboard that he successfully tested the issues to transfer money from someone else’s account by using his family bank accounts.
“I tested with a bunch of accounts belonging to my family. Few of those accounts don’t even have net banking or mobile banking activated,” Prakash added. “And it all worked like a charm.”
There is an unfair end to this story, despite Prakash responsibly reported the flaw to the bank, the financial institution did not reward it.
[adrotate banner=”9″]
(Security Affairs – bank hack, $25 Billion theft)