mailing list archives
Re: Privat24 (Facebook version) bypass of static password for accounts of PrivatBank (Ukraine, Russia and CIS)
From: Andriy Tereshchenko <tag () 24 odessa ua>
Date: Mon, 11 Oct 2010 21:30:50 +0300
I suspect that real reason for this app is intelligence on data about
bank clients from Facebook database.
To be used during debt collection or while making loan decisions.
Facebook profile, friends list and other info. ;-)
Person who has "invented" this app Alexander Vityaz has posted on his
wall (on 1 October) link to article on how many data-mining employees
LinkedIn has and that they do. Seems like he is willing to replicate
same effort for banking purpose.
1. Alexander Vityaz Facebook Wall
2. Article about Dip Nashar - CEO of LinkedIn (in russian)
On Mon, Oct 11, 2010 at 7:58 PM, Shreyas Zare <shreyas () secfence com> wrote:
LOL. It must be quite convenient to use banking alongside FarmVille.
Sr. Information Security Researcher
On Mon, Oct 11, 2010 at 3:57 AM, Andriy Tereshchenko <tag () 24 odessa ua>
1) Affected Service
* Privat24 application in Facebook created by PrivatBank, Ukraine
Rating: Moderate (need user actions or access to mobile phone)
Impact: Exposure of sensitive financial information
and unauthorized payment transactions
Where: Remote (man in the middle), Local (removed authentication factor)
Andriy G. Tereshchenko
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/