Sathya Prakash, an Indian security researcher, discovered several security issues with the mobile app developed by an Indian bank, which if exploited, would have allowed a hacker to steal all of the bank’s funds.
last fall when he decided to take the bank’s iOS app for a test run. Being a trained professional, the researcher wasn’t satisfied with pushing buttons and looking at colored charts, so he connected this device to security debug tools to see what was going on under the hood.
No certificate pinning, bad user login session architecture
The researcher quickly discovered that the app lacked some basic security settings, especially in the way it handled(HPKP), a.k.a. certificate pinning, which the app did not use at all.
The lack of this feature exposed users to MitM (Man in the Middle) attacks, even if the Web traffic to and from the bank was encrypted and sent via HTTPS.
Furthermore, Prakash also discovered that the app had a “careless architecture” for the user login sessions, which apparently were immortal. Coupled with the previous MitM attack, a third-party would be able to carry out operations on behalf of the user without needing to authenticate at any point.
Researcher could have emptied out all bank accounts
But things didn’t end here. Prakash also found out how the app handled bank transactions. By digging around in a Web request’s parameters, he was able to reverse engineer the entire process, discovering a way to send money from any account to another account. All of this without authentication.
Prakash practically discovered a way to move any of the bank’s money if he wished to, which the researcher explains were around $25 billion at the end of 2015.
Luckily for the bank, Prakash wasn’t that kind of person, and he contacted them via email, explaining their issues, and even providing proof-of-concept code to help them fix their issues. The bank corrected all their problems twelve days later.