lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 19 Oct 2010 22:06:07 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Re: Privat24 (Facebook version) bypass of static
	password for accounts of PrivatBank (Ukraine, Russia and CIS)

Hello Andriy!

It's interesting issues in Privat24 (Facebook version). Which concerns all
users of Privat24, not only users of Privat24 for Facebook, but especially
concerns users of Privat24 for Facebook, because against them there are many
attack vectors.

Besides phishing attacks, there can be made attack (with vulnerabilities
#3,4 in you list) on users of Facebook, which are using Privat24-Facebook
client, and this attack will not require any social engineering. When user
linked his Facebook account to his Privat24 account, for attacker it'll be
needed only to compromise his Facebook account to get to all his financial
information and credit cards. For which holes at Facebook can be used (and
there are many such ones as it's well known).

Note that the issue with sms (vulnerability #1 in you list) is similar to
issue of Privat Bank's LiqPAY, which you disclosed earlier this year
(http://www.securityfocus.com/archive/1/510284). And if they fixed issue
with sms in case of LiqPAY (in a five days after your disclosure), then they
didn't fix it in case of Facebook version of Privat24. Which is strange,
because they could quickly fixed text of these sms-messages, as they early
did for their LiqPAY system.

At least there was an effect from your informing and disclosing of
hole in LiqPAY ;-) - Privat Bank fixed it. This is that rare case when
they fixed the holes which they were warned about. Because they ignored all
my warnings to Privat Bank during 2008-2010 about multiple vulnerabilities
at many of their sites (and so didn't answer and didn't fix the holes).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

[Full-disclosure] Privat24 (Facebook version) bypass of static password for
accounts of PrivatBank (Ukraine, Russia and CIS)
Andriy Tereshchenko tag at 24.odessa.ua
Sun Oct 10 23:27:52 BST 2010


> 1) Affected Service
>
> * Privat24 application in Facebook created by PrivatBank, Ukraine
>
> 2) Severity
>
> Rating: Moderate (need user actions or access to mobile phone)
> Impact: Exposure of sensitive financial information
>            and unauthorized payment transactions
> Where: Remote (man in the middle), Local (removed authentication factor)


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ