430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Cyber Criminal can easily get access to your YesBank Internet Banking using stolen Debit/Credit Card Number and PIN

A security researcher disclosed a vulnerability in the online banking service of the YesBank that promptly fixed the issue. I am a customer of YesBank and I hold my savings account with them. I also use the YesBank’s online banking application and I strongly feel that the application of the bank must be secured. So, as […]

Cyber Criminal can easily get access to your YesBank Internet Banking using stolen Debit/Credit Card Number and PIN

A security researcher disclosed a vulnerability in the online banking service of the YesBank that promptly fixed the issue.

I am a customer of YesBank and I hold my savings account with them. I also use the YesBank’s online banking application and I strongly feel that the application of the bank must be secured. So, as a responsible client, I disclosed the vulnerability to YesBank which I recently found in their application. And I would like to thank YesBank for fixing this issue immediately.
 
For those who do not know about YesBank, you can read about the bank on wiki.
 
“YES BANK is India’s fifth largest private sector Bank, founded in 2004. Yes Bank is the only Greenfield Bank licence awarded by the RBI in the last two decades. YES BANK is a “Full Service Commercial Bank”, and has steadily built a Corporate, Retail & SME Banking franchise, Financial Markets, Investment Banking, Corporate Finance, Branch Banking, Business and Transaction Banking, and Wealth Management business lines across the country.”
yesbank-online-banking
 
Introduction
I regularly perform the penetration testing on applications at SecureLayer7 and recently, I stumbled on a very simple bug in the YesBank online banking application (referred as YesBank in the remaining article). YesBank provides a good number of features to million of banking users. Among these features, I found that the user account password reset feature was vulnerable to one of the OWASP’s Top 3 vulnerability, i.e. Injections.
 
This vulnerability is caused by poor input validation of the application. Consequently, attacker can exploit this vulnerability to bypass the OTP process to reset the bank account password. To exploit this vulnerability, attacker needs the information of the victim bank account, for example their ATM number, ATM Pin, etc.
 
Several Indian banks are issuing an advisory to their customers, asking them to change their security code (more popularly known as ATM pin) or better replace the card, by Indian media reports
 
Once the attacker gathers all the information required to exploit this vulnerability, he can gain the access to the Online Banking Application account by resetting the original password of the user.
 
The Proof of Concept
To execute the payload successfully switch OFF or turn ON the flight mode of the mobile. (Banking user information is blurred for security reasons)
 
Vulnerability Timeline:
1) Vulnerability reported on 21st of Sept, 2016 to YesBank
 
2) Re-tested Vulnerability on 20th October 2016 and it was patched
 
Takeway:
I always recommend implementing the universal input validations for the commonly known vulnerabilities, especially banking application should have all types of input validations on the un-trusted user inputs.
 
Author Name : Sandeep Kamble.
sandeep-kambleAuthor Bio : As the Founder and CEO of SecureLayer7, Sandeep is responsible for setting the overall strategy and direction of the company. Sandeep is taken care of technical execution team. In this capacity, he is responsible for leading, directing, and executing client-facing engagements that include SecureLayer7’s tactical service offerings.

Sandeep developed a professional services division, defined the SecureLayer7’s core methodologies, and trained new employees on the latest hacking techniques to find vulnerabilities in client’s activities.
An active core team member of security community called as Garage4Hackers.
Sandeep is also an Sr. security researcher and developer. “As a security professional, I have managed to debunk critical vulnerabilities/bugs in Google, Facebook, Twitter, Dropbox, PayPal and others”. Sandeep was a speaker at International security conferences ClubHack 2012 & Jailbreak Nullcon 2013.
Sandeep can be reached at sandeep@securelayer7.net and on Twitter

 

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Linux, hacking)