lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <011b01cebe1f$796aa960$9b7a6fd5@pc>
Date: Mon, 30 Sep 2013 23:55:51 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: Vulnerability in Privat24 for Android and iOS

Hello list!

This is Insufficient Process Validation vulnerability in Privat24. Which
allows to bypass OTP (in sms) and steal money from users' accounts.

Privat24 - it's Internet banking from PrivatBank. And all mobile clients are
vulnerable, unlike web site of Privat24. Since 06.06.2013, after I found the
hole and inform PrivatBank, they still haven't fixed it.

-------------------------
Affected products:
-------------------------

Vulnerable are all versions (because the hole depends on server
configuration). Tested in Privat24 3.27.2 for Android and Privat24 4.8.6 for
iOS. Version for Windows Phone must be affected as well.

-------------------------
Affected vendors:
-------------------------

PrivatBank

Privat24 for iOS
https://itunes.apple.com/ru/app/privat24/id326277589?mt=8
Privat24 for Android
https://play.google.com/store/apps/details?id=ua.privatbank.ap24
https://play.google.com/store/apps/details?id=ua.privatbank.ap24old
Privat24 for Windows Phone
http://www.windowsphone.com/ru-ru/store/app/privat24/134e3c22-dab5-4305-906b-78ec850bfe32

----------
Details:
----------

Insufficient Process Validation (WASC-40):

At logging into Privat24 via clients for Android and iOS the OTP is not
asking (as it was before June 2013). I.e. without confirming with one time
password, which comes by sms, it is possible to log into account - unlike
web site of Privat24, where OTP is always asking.

The only time, when sms with OTP comes - it's on new device to lock it to
the account. After that there is no more OTP. This can be bypassed at
accessing to victim's phone or tablet or by using the first hole from those
which I found in Privat24 earlier. To steal money from account with
bypassing OTP for transaction (as in web site of Privat24) the second hole
can be used from those which I found in Privat24 earlier. Both these
vulnerabilities will be disclosed soon.

Watch demonstration video of vulnerability in Privat24:
http://www.youtube.com/watch?v=d1ifN8MPZQo

------------
Timeline:
------------ 

2013.03.14 - found two vulnerabilities in Privat24 for Android.
2013.03.15 - informed PrivatBank. Ignored.
2013.06.06 - found new vulnerability (described in this advisory) in
Privat24 for Android (later tested in iOS).
2013.06.06 - informed PrivatBank. Answered, that they were aware about it
and were working to fix it.
2013.06.06 - announced at my site.
2013.06 - 2013.09 - multiple times reminded PrivatBank about this hole and
gave arguments about previous two holes.
2013.09.13 - disclosed at my site (http://websecurity.com.ua/6554/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ