lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <eec835031003221038n53ad521fu3e3778281a2f90f3@mail.gmail.com>
Date: Mon, 22 Mar 2010 19:38:36 +0200
From: Andriy Tereshchenko <tag@...odessa.ua>
To: bugtraq@...urityfocus.com
Subject: Insecure SMS authorization scheme at LiqPAY micro-payments of 
	PrivatBank (Ukraine)

1) Affected Service

* LiqPAY micro-payment system from PrivatBank, Ukraine

2) Severity

Rating: Moderate (need user actions)
Impact: Exposure of sensitive financial information and unauthorized
access to system
Where:  Remote (man-in-the-middle)

3) Vendor's Description of Service

"LiqPAY is global open high-secure payment system that lets anyone
easily send money using mobile phones, Internet and payment cards
worldwide.
...
LiqPAY Benefits: Strong security. Strong identification and
verification using the OTP technology."

Product Link:
https://www.liqpay.com/?do=pages&p=productliqpay


4) Description of Vulnerability

LiqPAY one-time-password technology is based on SMS messages sent to
mobile phone of registered user. In order to login user has to submit
his mobile phone number on web-form and will be prompted for 8-digits
password from SMS message sent by system to his mobile.

Vulnerability is that SMS messages are not tagged in any way that they
are from LiqPAY system.
SMS message text is like "Parol: 12345678 --Do not pass your password
to third party.".

Exploitation is following - attacker can setup web-site (or any other
service) that will ask user for their mobile phone numbers first, then
for password they has received. In fact, attacker is not sending SMS
on his own, but request LiqPAY system to send one to user.  After user
will type in password he has received in SMS message on attacker
website - attacker can use this password to login into LiqPAY system.

After login to LiqPAY - all services of system are available to
attacker - history of previous payments and sending of digital money.

5) Solution

SMS messages from LiqPAY system should be tagged properly in order to
allow users clearly identify service and website URL of SMS origin.

Temporary solution for current users - do not answer on all SMS
messages similar in format to LiqPAY one's (there 8-digit password is
used).

6) Time Table

18:16 EET 22 March 2010 - Issue reported in public to vendor
(Alexander Vityaz blog, Head of Center E-business at Privatbank)
18:22 - Vendor denial as non-issue

7) Credits

Discovered by client of PrivatBank.

8) About LiqPay and PrivatBank

The Commercial bank PrivatBank (Ukraine) was founded in 1992. Its
services are used by more than 23% population of Ukraine population.
PrivatBank currently serves 420 thousand corporate clients and small
businesses, and over 13 million individual accounts.

LiqPAY is system invented by PrivatBank company for micropayments. It
is actively pushed to clients of PrivatBank.
All ~3000 branches of bank issue micropayments vouchers or open
accounts of LiqPAY system instead of giving change in coins to most of
it's clients then bank services or wire payments are requested. Number
of LiqPAY users as result of this effort claimed to be over 120
thousands.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ