A security researcher could have stolen as much as $25 Billion from one of the India’s biggest banks ‒ Thanks to the bank’s vulnerable mobile application.
Late last year, security researcher Sathya Prakash discovered a number of critical vulnerabilities in the mobile banking application of an undisclosed bank that allowed him to steal money from any or all bank customers with the help of just a few lines of code.
Being a white hat hacker, Prakash immediately reached out to the bank and alerted it about the critical issues in its mobile app and helped the bank fix them, instead of taking advantage of the security holes to steal money from the bank that has about 25 Billion USD in Deposits.
While analyzing the mobile banking app, Prakash discovered that the app lacks Certificate Pinning, allowing any man-in-the-middle attacker to downgrade SSL connection and capture requests in plain text using fraudulently issued certificates.
Besides this, Prakash also found that the mobile banking app had insecure login session architecture, allowing an attacker to perform critical actions on the behalf of targeted account holder without knowing the login password, like seeing victim’s current account balance and deposits, as well as to add a new beneficiary and making illegal transfers.
If this wasn’t enough, Prakash discovered that the app did not check to see if the given customer ID or Transaction Authorisation PIN (MTPIN) ‒ used for critical controls like transferring funds, creating a new fixed deposit ‒ actually belong to the sender’s account.
This blunder in the mobile banking app could have allowed anyone with the app and an account in the bank to transfer money from someone else’s account.
Read the full article here.