Indian ethical hacker found several flaws in banking App which could have allowed anyone to steal $25 billion

An unknown bank was lucky that an ethical hacker found flaws and reported back to them. If it was somebody with evil intent, he could have made off with a cool $25 billion.

Late last year, security researcher Sathya Prakash discovered a number of critical vulnerabilities in the mobile banking application of an undisclosed bank that allowed him to steal money from any or all bank customers with the help of just a few lines of code.

However, Prakash immediately reached out to the bank in question and alerted about the severe flaws in its mobile banking app. He also helped them fix the flaws instead of taking advantage of the security holes to steal money from the bank that has about $25 Billion in deposits.

According to Prakash, when he analyzed the bank’s app, he found it had several bugs. Prakash discovered that the app lacks Certificate Pinning, allowing any man-in-the-middle attacker to downgrade SSL connection and capture requests in plain text using fraudulently issued certificates. This bug allowed him to easily see the banks customer records such as their current account balance and deposits just by automating and guessing customer IDs.

That was just the beginning though, and when he kept digging and found a mega bug which allowed him to select any account through the App and transfer the money in that account to somebody else’s account. Prakash found that mobile banking app had insecure login session architecture, allowing him to perform critical actions on the behalf of targeted account holder without knowing the login password, like seeing victim’s current account balance and deposits, as well as to add a new beneficiary and making illegal transfers.

“So invoking the fund transfer API call directly via CURL, bypassed the receiver/beneficiary account validation. I was able to transfer money to accounts that weren’t on my beneficiary list,” Prakash wrote in his blog post.

“It was a matter of 5 lines of code [exploit] to enumerate the bank’s customer records (Current Account Balance, and Deposits).”

Prakash also discovered that the banking app did not check to see if the given customer ID or Transaction Authorisation PIN (MTPIN) actually belonged to the sender. MTPIN is used by banking transactions for transferring funds or creating a new bank account/fixed deposit.

Prakash successfully tested this flaw using his parents’ accounts. Once he had tested and confirmed the flaws, instead of taking advantage Prakash responsibly emailed the bank on November 13, 2015. The bank took cognizance of his discovery and promptly updated the banking App to patch the flaws. However Prakash was neither paid bug bounty nor awarded any felicitation by the bank for saving millions if not billions.