Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Privat24 (Facebook version) bypass of static password for accounts of PrivatBank (Ukraine, Russia and CIS)
From: "MustLive" <mustlive () websecurity com ua>
Date: Tue, 19 Oct 2010 22:06:07 +0300

Hello Andriy!

It's interesting issues in Privat24 (Facebook version). Which concerns all
users of Privat24, not only users of Privat24 for Facebook, but especially
concerns users of Privat24 for Facebook, because against them there are many
attack vectors.

Besides phishing attacks, there can be made attack (with vulnerabilities
#3,4 in you list) on users of Facebook, which are using Privat24-Facebook
client, and this attack will not require any social engineering. When user
linked his Facebook account to his Privat24 account, for attacker it'll be
needed only to compromise his Facebook account to get to all his financial
information and credit cards. For which holes at Facebook can be used (and
there are many such ones as it's well known).

Note that the issue with sms (vulnerability #1 in you list) is similar to
issue of Privat Bank's LiqPAY, which you disclosed earlier this year
(http://www.securityfocus.com/archive/1/510284). And if they fixed issue
with sms in case of LiqPAY (in a five days after your disclosure), then they
didn't fix it in case of Facebook version of Privat24. Which is strange,
because they could quickly fixed text of these sms-messages, as they early
did for their LiqPAY system.

At least there was an effect from your informing and disclosing of
hole in LiqPAY ;-) - Privat Bank fixed it. This is that rare case when
they fixed the holes which they were warned about. Because they ignored all
my warnings to Privat Bank during 2008-2010 about multiple vulnerabilities
at many of their sites (and so didn't answer and didn't fix the holes).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

[Full-disclosure] Privat24 (Facebook version) bypass of static password for
accounts of PrivatBank (Ukraine, Russia and CIS)
Andriy Tereshchenko tag at 24.odessa.ua
Sun Oct 10 23:27:52 BST 2010


1) Affected Service

* Privat24 application in Facebook created by PrivatBank, Ukraine

2) Severity

Rating: Moderate (need user actions or access to mobile phone)
Impact: Exposure of sensitive financial information
           and unauthorized payment transactions
Where: Remote (man in the middle), Local (removed authentication factor)


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Re: Privat24 (Facebook version) bypass of static password for accounts of PrivatBank (Ukraine, Russia and CIS) MustLive (Oct 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]