| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 30 Sep 2013 23:55:51 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk> Subject: Vulnerability in Privat24 for Android and iOS Hello list! This is Insufficient Process Validation vulnerability in Privat24. Which allows to bypass OTP (in sms) and steal money from users' accounts. Privat24 - it's Internet banking from PrivatBank. And all mobile clients are vulnerable, unlike web site of Privat24. Since 06.06.2013, after I found the hole and inform PrivatBank, they still haven't fixed it. ------------------------- Affected products: ------------------------- Vulnerable are all versions (because the hole depends on server configuration). Tested in Privat24 3.27.2 for Android and Privat24 4.8.6 for iOS. Version for Windows Phone must be affected as well. ------------------------- Affected vendors: ------------------------- PrivatBank Privat24 for iOS https://itunes.apple.com/ru/app/privat24/id326277589?mt=8 Privat24 for Android https://play.google.com/store/apps/details?id=ua.privatbank.ap24 https://play.google.com/store/apps/details?id=ua.privatbank.ap24old Privat24 for Windows Phone http://www.windowsphone.com/ru-ru/store/app/privat24/134e3c22-dab5-4305-906b-78ec850bfe32 ---------- Details: ---------- Insufficient Process Validation (WASC-40): At logging into Privat24 via clients for Android and iOS the OTP is not asking (as it was before June 2013). I.e. without confirming with one time password, which comes by sms, it is possible to log into account - unlike web site of Privat24, where OTP is always asking. The only time, when sms with OTP comes - it's on new device to lock it to the account. After that there is no more OTP. This can be bypassed at accessing to victim's phone or tablet or by using the first hole from those which I found in Privat24 earlier. To steal money from account with bypassing OTP for transaction (as in web site of Privat24) the second hole can be used from those which I found in Privat24 earlier. Both these vulnerabilities will be disclosed soon. Watch demonstration video of vulnerability in Privat24: http://www.youtube.com/watch?v=d1ifN8MPZQo ------------ Timeline: ------------ 2013.03.14 - found two vulnerabilities in Privat24 for Android. 2013.03.15 - informed PrivatBank. Ignored. 2013.06.06 - found new vulnerability (described in this advisory) in Privat24 for Android (later tested in iOS). 2013.06.06 - informed PrivatBank. Answered, that they were aware about it and were working to fix it. 2013.06.06 - announced at my site. 2013.06 - 2013.09 - multiple times reminded PrivatBank about this hole and gave arguments about previous two holes. 2013.09.13 - disclosed at my site (http://websecurity.com.ua/6554/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists