HackDig : Dig high-quality web security articles for hacker

Password Reset OTP Bypass Critical Vulnerability in YesBank Banking Application

2016-10-20 12:50

I am a customer of YesBank and I hold my savings account with them. I also use the YesBank’s online banking application and I strongly feel that the application of the bank must be secured. So, as a responsible client, I disclosed the vulnerability to YesBank which I recently found in their application. And I would like to thank YesBank for fixing this issue immediately.

For those who do not know about YesBank, you can read about the bank on wiki.

YES BANK is India’s fifth largest private sector Bank, founded in 2004. Yes Bank is the only Greenfield Bank licence awarded by the RBI in the last two decades. YES BANK is a “Full Service Commercial Bank”, and has steadily built a Corporate, Retail & SME Banking franchise, Financial Markets, Investment Banking, Corporate Finance, Branch Banking, Business and Transaction Banking, and Wealth Management business lines across the country.

Introduction

I regularly perform the penetration testing on applications at SecureLayer7 and recently, I stumbled on a very simple bug in the YesBank online banking application (referred as YesBank in the remaining article). YesBank provides a good number of features to million of banking users. Among these features, I found that the user account password reset feature was vulnerable to one of the OWASP’s Top 3 vulnerability, i.e. Injections.

This vulnerability is caused by poor input validation of the application. Consequently, attacker can use this vulnerability to bypass the OTP process to reset the bank account password. To exploit this vulnerability, attacker requires the information of the victim bank account, for example their ATM number, ATM Pin, etc.

Several Indian banks are issuing an advisory to their customers, asking them to change their security code (more popularly known as ATM pin) or better replace the card, by Indian media reports

Once the attacker gathers all the information required to exploit this vulnerability, he can gain the access to the Online Banking Application account by resetting original password of the user.

The Proof of Concept

(Banking user information is blurred for security reasons)

 

Vulnerability Timeline:

1) Vulnerability reported on 21st of Sept, 2016 to YesBank

2) Re-tested Vulnerability on 20th Oct, 2016 and it was patched

Takeway:

I always recommend to implement the universal input validations for the commonly known vulnerabilities, especially banking application should have all types of input validations on the un-trusted user inputs.

 

 

The post Password Reset OTP Bypass Critical Vulnerability in YesBank Banking Application appeared first on SecureLayer7.


Source: /ytilibarenluv-ssapyb-pto-teser-drowssap-noitacilppa-gniknab-knabsey/ten.7reyaleruces.golb

“Password Reset OTP Bypass Critical Vulnerability in YesBank Banking Application”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud