Bank fixes issues, doesn't reward researcher

May 22, 2016 22:20 GMT  ·  By

Sathya Prakash, an Indian security researcher, discovered several security issues with the mobile app developed by an Indian bank, which, if exploited, would have allowed a hacker to steal all of the bank's funds.

Prakash found all these issues last fall, when he decided to take the bank's iOS app for a test run. Being a trained professional, the researcher wasn't satisfied with pushing buttons and looking at colored charts, so he connected this device to security debug tools to see what was going on under the hood.

No certificate pinning, bad user login session architecture

The researcher quickly discovered that the app lacked some basic security settings, especially in the way it handled HTTP Public Key Pinning (HPKP), a.k.a. certificate pinning, which the app did not use at all.

The lack of this feature exposed users to MitM (Man in the Middle) attacks, even if the Web traffic to and from the bank was encrypted and sent via HTTPS.

Furthermore, Prakash also discovered that the app had a "careless architecture" for the user login sessions, which apparently were immortal. Coupled with the previous MitM attack, a third party would be able to carry out operations on behalf of the user without needing to authenticate at any point.

Researcher could have emptied out all bank accounts

But things didn't end here. Prakash also found out how the app handled bank transactions. By digging around in a Web request's parameters, he was able to reverse-engineer the entire process, discovering a way to send money from any account to another. All of this without authentication.

Prakash practically discovered a way to move any of the bank's money if he wished to, which the researcher explains was around $25 billion at the end of 2015.

Luckily for the bank, Prakash wasn't that kind of person, and he contacted them via email, explaining their issues and even providing proof-of-concept code to help them fix everything. The bank corrected all their problems twelve days later.