CUSTOMER
The Customer is an international commercial bank with $500 million in total assets. The bank offers a whole spectrum of banking services for private and corporate customers.
In a nutshell
Our team was tasked to evaluate the current level of Web application and Mobile banking application security for a commercial bank in Europe. While the scope was limited to a black box perspective and implied a scenario of an outside attack knowing the client’s name only, we managed to exploit application deviations, reach critical data, get full access to bank’s clients’ accounts and withdraw money as an ultimate goal.
This case demonstrates how a combination of two simple yet critical vulnerabilities can lead to a full security compromise. At the same time, such vulnerabilities are often overlooked and hence become a common attack vector for malicious actors.
PROCESS
To carry out high-quality comprehensive testing, we used both manual and automated testing tools and techniques.
OTP compromise. During testing we discovered that account access through online banking is protected by two-factor authentication with OTP-code. We managed to find a critical vulnerability in OTP that enabled us to take it over with a brute-force attack (login page password-guessing attack). Furthermore, OTP-verification had also been used for financial or any other asset transactions. Provided that a malicious attacker knows the user’s credentials, it would have become possible to access any account of the bank and conduct unsolicited money transfer, thus completely compromising the security system.
The same OTP vulnerability was confirmed in mobile application, although a different server was used to process requests and APIs of web and mobile applications were supposed to function separately. Hence, mobile app contained the same flaw in the logic of session management and security risk was respectively outstretched.
Authentication compromise. Another critical vulnerability was found when authorizing access to users’ data. Being logged into online banking system and changing the user’s ID token, the hacker could see the private data of other bank clients, including their transactions and balances. Therefore, it was possible to select accounts with preferable balances and then – by using an automatically generated script – brute-force credentials, enter the victims’ accounts, brute-force OTP and withdraw money.
Hacking Scenario: getting full access. The vulnerability in the authentication process allowed access to any user account in the system. The attacker could easily check the account balances, select preferred accounts, brute force necessary details and initiate unsolicited transactions by exploiting OTP vulnerability.
RESULTS
We performed a number of tests to analyze the security of the bank’s web and mobile applications. The testing revealed several types of vulnerabilities classified according to the risk levels defined in the OWASP methodology. The combination of two critical vulnerabilities allowed our team to conduct any transactions from bank clients’ accounts without proper authentication.
To help the bank patch the identified security gaps, we have delivered a comprehensive report covering all found vulnerabilities and provided mitigation recommendations which were implemented at the remediation phase.
TECHNOLOGIES AND TOOLS
Methodology: OWASP Top 10
Tools: BurpSuite, Acunetix, Google Chrome Developer Tools, Python, WPScan, Nessus, Nmap, SQLMap, Nikto, DIRB, Metasploit, custom scripts.
