The Bank Job – breaking a mobile banking application (opens in new tab)

(boris.in)

135 pointsdeproders9y ago39 comments

39 comments

It's actually quite heart-breaking to see the extent gone to to reveal the bug, and then to disclose it in full, for zero reward.

Whether or not a bug bounty programme exists at a company, if a bug this severe comes through the door, it should warrant a reward.

retox9y ago

The next bug found will be sold on the blackmarket. False economy.

nbevans9y ago

Presumably any reward would need to be approved by an executive other than just the IT director since clearly they have no policy in place. The IT director would not want his department's incompetence to be known higher up the board.

As an aside, the OP claims it took 12 days to resolve but it is possible they took more immediate action by disabling the mobile app's ability to do transfers until they had resolved all the issues.

0x4242429y ago

It took 12 days for them to reply back saying that "They're working on a fix". The fix was not out at least until Late December/Early Jan. And they did not block fund transfers during the intermediate period either.

oxide9y ago

ah, the benefit of the doubt.

I used to give that out like candy, too.

franjkovic9y ago

The post is interesting, but I do not know why people assume they would get a bounty for a security report if the company does not have responsible disclosure / bounty program.

tobltobs9y ago

It would be common sense to pay a bounty. Similar to the reward you should get if you find somebody's wallet. If you are known for not paying a bounty (a finder reward) some people will not tell you your security holes (will not give you back your wallet).

On the long run this will be more expensive than the bounty. But the problem might be that if the would pay a bounty, they would admit that the screwed it, what their lawyers would like to prevent.

bitJericho9y ago

I would absolutely never expect or even accept a reward for a lost wallet. It's our duty as a member of a civilized society to not steal.

If a wallet finder failed to give me my wallet back, I'd just call the police.

3 more replies

0x4242429y ago

OP here. I knew the bank wouldn't pay. But I wanted to initiate a discussion with the bank so they know that paying bounty for disclosures is a thing.

saganus9y ago

Nice work OP.

You gave them a tech analysis that should be worth some money, for free, at the same time (hopefully) bringing to their attention how bounty programs are a helpful thing for everyone. They should be feeling very lucky about it.

However, the thing that worries me with these things is that, what if some "bad guys" already knew about this and exploiting it and now that the bank is aware and might close the hole, makes them angry and looking for retaliation?

Hopefully you are taking precautions to be anonymous, but I know that where I live if I were to pull a stunt like that I would seriously consider watching my back for a while.

Sad world we live in :( so take care OP.

1 more reply

retox9y ago

The value of the write-up is a reward at least.

bdavisx9y ago

If the bank doesn't have a disclosure/bounty program, you can easily end up getting yourself arrested.

tdkl9y ago

Probably from goodwill. Sadly the bank couldn't afford it, they can afford getting stolen from anyway. The bank always wins.

1024core9y ago

Don't think of it as a bounty. Think of it as payment for services rendered.

LukeB_UK9y ago

Cached copy because the site seems to be struggling: http://archive.is/2FN8G

jbaviat9y ago

Having done similar pentests on similar applications during my previous jobs, you can imagine the level of security many editors have on the pair (client app, server). And we are talking here about a banking application: banks have always been more concerned buy security than other software consumers.

forgingahead9y ago

It's actually important to name the vendor responsible for this mess so this doesn't happen again.

sremani9y ago

I would not do it (if I were the guy), India is litigious mess and a motivated financial strongman/entity can screw you for Years without a verdict and if they allege there is a hacking attack, the Judiciary is in no position to handle that kind of sophistication and have a more or less fire first and ask questions later way of doing things.

prab979y ago

From one of the screenshots and other data points, looks like it is SBI

tener9y ago

Prediction: in the coming months we will hear about more issues of this kind. This time though it will be mafia inspired by the story, stealing money for real.

udkl9y ago

This is the result of hiring mediocre developers and not performing sufficient security testing/analysis and threat modeling.

j / k navigate · click thread line to collapse

39 comments

jamies8888889y ago

It's actually quite heart-breaking to see the extent gone to to reveal the bug, and then to disclose it in full, for zero reward.

Whether or not a bug bounty programme exists at a company, if a bug this severe comes through the door, it should warrant a reward.

retox9y ago

The next bug found will be sold on the blackmarket. False economy.

nbevans9y ago

As an aside, the OP claims it took 12 days to resolve but it is possible they took more immediate action by disabling the mobile app's ability to do transfers until they had resolved all the issues.

0x4242429y ago

oxide9y ago

ah, the benefit of the doubt.

I used to give that out like candy, too.

franjkovic9y ago

The post is interesting, but I do not know why people assume they would get a bounty for a security report if the company does not have responsible disclosure / bounty program.

tobltobs9y ago

On the long run this will be more expensive than the bounty. But the problem might be that if the would pay a bounty, they would admit that the screwed it, what their lawyers would like to prevent.

bitJericho9y ago

I would absolutely never expect or even accept a reward for a lost wallet. It's our duty as a member of a civilized society to not steal.

If a wallet finder failed to give me my wallet back, I'd just call the police.

3 more replies

0x4242429y ago

OP here. I knew the bank wouldn't pay. But I wanted to initiate a discussion with the bank so they know that paying bounty for disclosures is a thing.

saganus9y ago

Nice work OP.

Hopefully you are taking precautions to be anonymous, but I know that where I live if I were to pull a stunt like that I would seriously consider watching my back for a while.

Sad world we live in :( so take care OP.

1 more reply

retox9y ago

The value of the write-up is a reward at least.

bdavisx9y ago

If the bank doesn't have a disclosure/bounty program, you can easily end up getting yourself arrested.

tdkl9y ago

Probably from goodwill. Sadly the bank couldn't afford it, they can afford getting stolen from anyway. The bank always wins.

1024core9y ago

Don't think of it as a bounty. Think of it as payment for services rendered.

LukeB_UK9y ago

Cached copy because the site seems to be struggling: http://archive.is/2FN8G

jbaviat9y ago

forgingahead9y ago

It's actually important to name the vendor responsible for this mess so this doesn't happen again.

sremani9y ago

prab979y ago

From one of the screenshots and other data points, looks like it is SBI

tener9y ago

Prediction: in the coming months we will hear about more issues of this kind. This time though it will be mafia inspired by the story, stealing money for real.

udkl9y ago

This is the result of hiring mediocre developers and not performing sufficient security testing/analysis and threat modeling.

j / k navigate · click thread line to collapse