Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Vulnerability in Privat24 for Android and iOS
From: "MustLive" <mustlive () websecurity com ua>
Date: Mon, 30 Sep 2013 23:55:51 +0300

Hello list!

This is Insufficient Process Validation vulnerability in Privat24. Which
allows to bypass OTP (in sms) and steal money from users' accounts.

Privat24 - it's Internet banking from PrivatBank. And all mobile clients are
vulnerable, unlike web site of Privat24. Since 06.06.2013, after I found the
hole and inform PrivatBank, they still haven't fixed it.

-------------------------
Affected products:
-------------------------

Vulnerable are all versions (because the hole depends on server
configuration). Tested in Privat24 3.27.2 for Android and Privat24 4.8.6 for
iOS. Version for Windows Phone must be affected as well.

-------------------------
Affected vendors:
-------------------------

PrivatBank

Privat24 for iOS
https://itunes.apple.com/ru/app/privat24/id326277589?mt=8
Privat24 for Android
https://play.google.com/store/apps/details?id=ua.privatbank.ap24
https://play.google.com/store/apps/details?id=ua.privatbank.ap24old
Privat24 for Windows Phone
http://www.windowsphone.com/ru-ru/store/app/privat24/134e3c22-dab5-4305-906b-78ec850bfe32

----------
Details:
----------

Insufficient Process Validation (WASC-40):

At logging into Privat24 via clients for Android and iOS the OTP is not
asking (as it was before June 2013). I.e. without confirming with one time
password, which comes by sms, it is possible to log into account - unlike
web site of Privat24, where OTP is always asking.

The only time, when sms with OTP comes - it's on new device to lock it to
the account. After that there is no more OTP. This can be bypassed at
accessing to victim's phone or tablet or by using the first hole from those
which I found in Privat24 earlier. To steal money from account with
bypassing OTP for transaction (as in web site of Privat24) the second hole
can be used from those which I found in Privat24 earlier. Both these
vulnerabilities will be disclosed soon.

Watch demonstration video of vulnerability in Privat24:
http://www.youtube.com/watch?v=d1ifN8MPZQo

------------
Timeline:
------------
2013.03.14 - found two vulnerabilities in Privat24 for Android.
2013.03.15 - informed PrivatBank. Ignored.
2013.06.06 - found new vulnerability (described in this advisory) in
Privat24 for Android (later tested in iOS).
2013.06.06 - informed PrivatBank. Answered, that they were aware about it
and were working to fix it.
2013.06.06 - announced at my site.
2013.06 - 2013.09 - multiple times reminded PrivatBank about this hole and
gave arguments about previous two holes.
2013.09.13 - disclosed at my site (http://websecurity.com.ua/6554/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Vulnerability in Privat24 for Android and iOS MustLive (Sep 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault