lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <AANLkTi=q9drJ-atT5SU3kG9QxD6YuFX=1CU37YWb82Bs@mail.gmail.com>
Date: Mon, 11 Oct 2010 21:32:59 +0300
From: Andriy Tereshchenko <tag@...odessa.ua>
To: Shreyas Zare <shreyas@...fence.com>
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Privat24 (Facebook version) bypass of static
 password for accounts of PrivatBank (Ukraine, Russia and CIS)

Hi,

I suspect that real reason for this app is intelligence on data about
bank clients from Facebook database.
To be used during debt collection or while making loan decisions.

App has no Privacy Policy defined, but request permissions to access
Facebook profile, friends list and other info. ;-)

Person who has "invented" this app Alexander Vityaz  has posted on his
wall (on 1 October) link to article on how many data-mining employees
LinkedIn has and that they do.  Seems like he is willing to replicate
same effort for banking purpose.

References:
1. Alexander Vityaz  Facebook Wall
http://www.facebook.com/profile.php?id=544590214&v=wall&ref=ts

2. Article about Dip Nashar - CEO of LinkedIn (in russian)
http://www.forbes.ru/karera/rynok-truda/57722-zaprogrammirovat-kareru

--
TAG

On Mon, Oct 11, 2010 at 7:58 PM, Shreyas Zare <shreyas@...fence.com> wrote:
> LOL. It must be quite convenient to use banking alongside FarmVille.
>
> Shreyas Zare
>
> Sr. Information Security Researcher
> Secfence Technologies
> www.secfence.com
>
>
> On Mon, Oct 11, 2010 at 3:57 AM, Andriy Tereshchenko <tag@...odessa.ua>
> wrote:
>>
>> 1) Affected Service
>>
>> * Privat24 application in Facebook created by PrivatBank, Ukraine
>>
>> 2) Severity
>>
>> Rating: Moderate (need user actions or access to mobile phone)
>> Impact: Exposure of sensitive financial information
>>           and unauthorized payment transactions
>> Where: Remote (man in the middle), Local (removed authentication factor)
....

--
Andriy G. Tereshchenko
Odessa, Ukraine
+380683777768

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ