As I nephew congratulated on his birthday
Once again, when I used Internet banking of the Ukrainian Alfa-Bank, my attention was attracted by the form for sending a receipt by email:
The interesting thing about it was that the title of the letter and the text of the message could be edited. Having examined the request sent to the server, I achieved that it was possible not to send the receipt itself, but only the subject of the letter and the text of the message.
The received request has acquired the following form:
')
Thus, it turned out that I can send absolutely any content letter on behalf of Alfa-Bank from ccd@alfabank.kiev.ua to any email. I immediately notified the security service of the bank about the found vulnerability, but, unfortunately, after 2 months they did not take measures to eliminate it. The only thing that calms us down is that recently, mandatory two-factor authorization via SMS or email has been introduced in Internet banking and, thus, it has become an order of magnitude more difficult to exploit this vulnerability on hacked accounts.
And finally, taking this opportunity, I congratulated my nephew on his last birthday:
The interesting thing about it was that the title of the letter and the text of the message could be edited. Having examined the request sent to the server, I achieved that it was possible not to send the receipt itself, but only the subject of the letter and the text of the message.
The received request has acquired the following form:
')
https://my.alfabank.com.ua/report/email?id=&type=order&recipientEmail=your.email@gmail.com&subject=!!!&body= http://fakesite.com&next= Thus, it turned out that I can send absolutely any content letter on behalf of Alfa-Bank from ccd@alfabank.kiev.ua to any email. I immediately notified the security service of the bank about the found vulnerability, but, unfortunately, after 2 months they did not take measures to eliminate it. The only thing that calms us down is that recently, mandatory two-factor authorization via SMS or email has been introduced in Internet banking and, thus, it has become an order of magnitude more difficult to exploit this vulnerability on hacked accounts.
And finally, taking this opportunity, I congratulated my nephew on his last birthday:
Source: https://habr.com/ru/post/247115/
All Articles