A security researcher could have stolen as much as $25 Billion from one of the India's biggest banks ‒ Thanks to the bank's vulnerable mobile application.
Late last year, security researcher Sathya Prakash discovered a number of critical vulnerabilities in the mobile banking application of an undisclosed bank that allowed him to steal money from any or all bank customers with the help of just a few lines of code.
Being a white hat hacker, Prakash immediately reached out to the bank and alerted it about the critical issues in its mobile app and helped the bank fix them, instead of taking advantage of the security holes to steal money from the bank that has about 25 Billion USD in Deposits. While analyzing the mobile banking app, Prakash discovered that the app lacks Certificate Pinning, allowing any man-in-the-middle attacker to downgrade SSL connection and capture requests in plain text using fraudulently issued certificates.
Besides this, Prakash also found that the mobile banking app had insecure login session architecture, allowing an attacker to perform critical actions on the behalf of targeted account holder without knowing the login password, like seeing victim's current account balance and deposits, as well as to add a new beneficiary and making illegal transfers.
"So invoking the fund transfer API call directly via CURL, bypassed the receiver/beneficiary account validation. I was able to transfer money to accounts that weren't on my beneficiary list. It was a matter of 5 lines of code [exploit] to enumerate the bank's customer records (Current Account Balance, and Deposits)," Prakash wrote in his blog post.
Stealing Money from Anyone Else's Account
If this wasn't enough, Prakash discovered that the app did not check to see if the given customer ID or Transaction Authorisation PIN (MTPIN) ‒ used for critical controls like transferring funds, creating a new fixed deposit ‒ actually belong to the sender's account. This blunder in the mobile banking app could have allowed anyone with the app and an account in the bank to transfer money from someone else's account.
"I tested [the hack] with a bunch of accounts belonging to my family. Few of those accounts don't even have net banking or mobile banking activated," Prakash added. "And it all worked like a charm." However, instead of taking advantage of these bugs, Prakash responsibly emailed the bank on November 13, 2015, and within few days, bank’s deputy general manager informed him that the security flaws had been fixed, without rewarding him with a bug bounty, that's unfair.