lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <003501cb6fb7$a37fef80$c103fea9@ml>
Date: Tue, 19 Oct 2010 21:00:13 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <bugtraq@...urityfocus.com>
Subject: Re: Insecure SMS authorization scheme at LiqPAY micro-payments of PrivatBank (Ukraine)

Hello Andriy and Bugtraq!

It's interesting issue in LiqPAY. Which was quickly fixed by Privat Bank
after your disclosure.

Even if they denied to fix it (as not issue in their opinion) at 22 March
2010, when you officially informed them, already at 27 March 2010 they fixed
it, by adding site's address into the text of sms. Even at 11 March 2010
they changed their default text of sms and added into it the suggestion to
not pass password to third party. All these changes will not eliminate all
forms of phishing, but still is an improvement of sms-message.

So there was an effect from your informing and disclosing of this
vulnerability ;-) and Privat Bank fixed it. This is that rare case when
they fixed the holes which they were warned about. Because they ignored all
my warnings to Privat Bank during 2008-2010 about multiple vulnerabilities
at many of their sites (and so didn't answer and didn't fix the holes).

Also interesting that this issue is similar to one of issues of Privat
Bank's Privat24 for Facebook, which you disclosed recently
(http://lists.grok.org.uk/pipermail/full-disclosure/2010-October/076834.html).
And if they fixed issue with sms in case of LiqPAY, then they didn't fixed
it in case of Facebook version of Privat24. Which is strange, because they
could quickly fixed text of that sms-messages, as they early did for their
LiqPAY system.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Insecure SMS authorization scheme at LiqPAY micro-payments of PrivatBank
(Ukraine)
Mar 22 2010 05:38PM
Andriy Tereshchenko (tag 24 odessa ua)

> 1) Affected Service
>
> * LiqPAY micro-payment system from PrivatBank, Ukraine
>
> 2) Severity
>
> Rating: Moderate (need user actions)
> Impact: Exposure of sensitive financial information and unauthorized
> access to system
> Where: Remote (man-in-the-middle)


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ