Cyber Criminal can easily get access to your YesBank Internet Banking using stolen Debit/Credit Card Number and PIN

Pierluigi Paganini October 21, 2016

A security researcher disclosed a vulnerability in the online banking service of the YesBank that promptly fixed the issue.

I am a customer of YesBank and I hold my savings account with them. I also use the YesBank’s online banking application and I strongly feel that the application of the bank must be secured. So, as a responsible client, I disclosed the vulnerability to YesBank which I recently found in their application. And I would like to thank YesBank for fixing this issue immediately.
For those who do not know about YesBank, you can read about the bank on wiki.
“YES BANK is India’s fifth largest private sector Bank, founded in 2004. Yes Bank is the only Greenfield Bank licence awarded by the RBI in the last two decades. YES BANK is a “Full Service Commercial Bank”, and has steadily built a Corporate, Retail & SME Banking franchise, Financial Markets, Investment Banking, Corporate Finance, Branch Banking, Business and Transaction Banking, and Wealth Management business lines across the country.”
I regularly perform the penetration testing on applications at SecureLayer7 and recently, I stumbled on a very simple bug in the YesBank online banking application (referred as YesBank in the remaining article). YesBank provides a good number of features to million of banking users. Among these features, I found that the user account password reset feature was vulnerable to one of the OWASP’s Top 3 vulnerability, i.e. Injections.
This vulnerability is caused by poor input validation of the application. Consequently, attacker can exploit this vulnerability to bypass the OTP process to reset the bank account password. To exploit this vulnerability, attacker needs the information of the victim bank account, for example their ATM number, ATM Pin, etc.
Several Indian banks are issuing an advisory to their customers, asking them to change their security code (more popularly known as ATM pin) or better replace the card, by Indian media reports
Once the attacker gathers all the information required to exploit this vulnerability, he can gain the access to the Online Banking Application account by resetting the original password of the user.
The Proof of Concept
To execute the payload successfully switch OFF or turn ON the flight mode of the mobile. (Banking user information is blurred for security reasons)
Vulnerability Timeline:
1) Vulnerability reported on 21st of Sept, 2016 to YesBank
2) Re-tested Vulnerability on 20th October 2016 and it was patched
I always recommend implementing the universal input validations for the commonly known vulnerabilities, especially banking application should have all types of input validations on the un-trusted user inputs.
Author Name : Sandeep Kamble.
sandeep-kambleAuthor Bio : As the Founder and CEO of SecureLayer7, Sandeep is responsible for setting the overall strategy and direction of the company. Sandeep is taken care of technical execution team. In this capacity, he is responsible for leading, directing, and executing client-facing engagements that include SecureLayer7’s tactical service offerings.

Sandeep developed a professional services division, defined the SecureLayer7’s core methodologies, and trained new employees on the latest hacking techniques to find vulnerabilities in client’s activities.
An active core team member of security community called as Garage4Hackers.
Sandeep is also an Sr. security researcher and developer. “As a security professional, I have managed to debunk critical vulnerabilities/bugs in Google, Facebook, Twitter, Dropbox, PayPal and others”. Sandeep was a speaker at International security conferences ClubHack 2012 & Jailbreak Nullcon 2013.
Sandeep can be reached at [email protected] and on Twitter


[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Linux, hacking)

you might also like

leave a comment