| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <AANLkTi=q9drJ-atT5SU3kG9QxD6YuFX=1CU37YWb82Bs@mail.gmail.com> Date: Mon, 11 Oct 2010 21:32:59 +0300 From: Andriy Tereshchenko <tag@...odessa.ua> To: Shreyas Zare <shreyas@...fence.com> Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: Privat24 (Facebook version) bypass of static password for accounts of PrivatBank (Ukraine, Russia and CIS) Hi, I suspect that real reason for this app is intelligence on data about bank clients from Facebook database. To be used during debt collection or while making loan decisions. App has no Privacy Policy defined, but request permissions to access Facebook profile, friends list and other info. ;-) Person who has "invented" this app Alexander Vityaz has posted on his wall (on 1 October) link to article on how many data-mining employees LinkedIn has and that they do. Seems like he is willing to replicate same effort for banking purpose. References: 1. Alexander Vityaz Facebook Wall http://www.facebook.com/profile.php?id=544590214&v=wall&ref=ts 2. Article about Dip Nashar - CEO of LinkedIn (in russian) http://www.forbes.ru/karera/rynok-truda/57722-zaprogrammirovat-kareru -- TAG On Mon, Oct 11, 2010 at 7:58 PM, Shreyas Zare <shreyas@...fence.com> wrote: > LOL. It must be quite convenient to use banking alongside FarmVille. > > Shreyas Zare > > Sr. Information Security Researcher > Secfence Technologies > www.secfence.com > > > On Mon, Oct 11, 2010 at 3:57 AM, Andriy Tereshchenko <tag@...odessa.ua> > wrote: >> >> 1) Affected Service >> >> * Privat24 application in Facebook created by PrivatBank, Ukraine >> >> 2) Severity >> >> Rating: Moderate (need user actions or access to mobile phone) >> Impact: Exposure of sensitive financial information >> and unauthorized payment transactions >> Where: Remote (man in the middle), Local (removed authentication factor) .... -- Andriy G. Tereshchenko Odessa, Ukraine +380683777768 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists