Vulnerability in payment service Platinum Bank (Ukraine)
Not so long ago, I decided to test another bank or payment company for the presence of a simple, but no less popular, vulnerability of the type “Ability to view other clients' transactions”.
Why am I writing this vulnerability simple? Because the Ukrainian electronic payment system Portmone.com had such an error last year. Like Fidobank ( post on Habrahabr ). However, like the Qiwi or Tinkoff Bank mentioned there, there are many examples. And how many have not yet been found, not published ...
So, in order to warm up the brain, I wanted to check someone else. And at the end of August, Platinum Bank introduced the new payment portal pay.ptclick.com.ua .
')
About Platinum Bank from the official site:
Here I decided to check for obvious vulnerability.
Registration on the pay.ptclick.com.ua portal is extremely simple - e-mail + password and captcha field.
Since I was thinking of finding a specific error — viewing information about payments from other customers — I needed to build on something.
After registering, I made some kind of payment like replenishing my mobile and, after the operation, went to the “History” section.
In the "History" there is a possibility:
1) view the transaction data by the link of the form pay.ptclick.com.ua/ru/history/paymentdetails/XXXX
2) repeat this operation by clicking on pay.ptclick.com.ua/ru/biller/payment/XXXX
3) download the PDF receipt via the link pay.ptclick.com.ua/ru/biller/receipt/XXXXXXXX
4) send a receipt to the e-mail link pay.ptclick.com.ua/ru/history/sendreceipt/XXXXXXXX
So, by simply looking at the numeric parameter XXXX in any of the links above, you can get information about the operations of other clients. XXXXXXXX is a little more complicated, but when sorting through such operations, authorization (!) On the payment portal is not required.
Thus, on the portal you can get information on all operations of all customers who used pay.ptclick.com.ua - payments for utilities, Internet, mobile, Skype, etc.:
I sent the letter about this situation several times; the first message to the bank at the found addresses was sent by me in the first days of October, two months ago.
Initially, I asked the responsible specialist to contact me, without specifying specific information about the error, so as not to spread it among those who should not know it.
But the Bank constantly received an answer in the spirit of “In order for our representative to contact you, please indicate your contact details and the time when it will be convenient for you to receive a call” (that is, my mail is not enough to communicate, they need phone).
Later, shortening the links via bit.ly (allows you to see how many people click on them), I pointed out exactly where the problem is. To date, each of the links was about 6-7 transitions.
Interestingly, the first link transitions were made only on October 17-18, when I once again reminded of the problem, and not at the beginning of October, when I wrote them for the first time.
It follows that the first messages with links about the error, sent by me in early October, were not transmitted to the responsible persons for about two weeks.
Then there were the rest of the referrals — in November, namely the day after I remembered the problem, I found a working e-mail for the manager who is responsible for this portal, and sent a letter to him personally.
The bottom line: in spite of my notifications about the problem through different channels, the error so far, two (!) Months after the first report, Platinum Bank has not been fixed.
Why am I writing this vulnerability simple? Because the Ukrainian electronic payment system Portmone.com had such an error last year. Like Fidobank ( post on Habrahabr ). However, like the Qiwi or Tinkoff Bank mentioned there, there are many examples. And how many have not yet been found, not published ...
So, in order to warm up the brain, I wanted to check someone else. And at the end of August, Platinum Bank introduced the new payment portal pay.ptclick.com.ua .
')
About Platinum Bank from the official site:
Platinum Bank is one of the largest participants in the domestic banking system. It refers to the І group of banks according to the NBU rating (Platinum Bank accounts for more than 0.5% of the assets of the banking system of Ukraine). The regional network has 69 offices and 1080 points of sales in various regions of Ukraine ...
The bank is also actively working on the Digital Bank project. In particular, it is actively developing the platform pay.ptclick.com.ua and the laboratory of financial innovations Platinum Lab.
Here I decided to check for obvious vulnerability.
Registration on the pay.ptclick.com.ua portal is extremely simple - e-mail + password and captcha field.
Since I was thinking of finding a specific error — viewing information about payments from other customers — I needed to build on something.
After registering, I made some kind of payment like replenishing my mobile and, after the operation, went to the “History” section.
In the "History" there is a possibility:
1) view the transaction data by the link of the form pay.ptclick.com.ua/ru/history/paymentdetails/XXXX
2) repeat this operation by clicking on pay.ptclick.com.ua/ru/biller/payment/XXXX
3) download the PDF receipt via the link pay.ptclick.com.ua/ru/biller/receipt/XXXXXXXX
4) send a receipt to the e-mail link pay.ptclick.com.ua/ru/history/sendreceipt/XXXXXXXX
So, by simply looking at the numeric parameter XXXX in any of the links above, you can get information about the operations of other clients. XXXXXXXX is a little more complicated, but when sorting through such operations, authorization (!) On the payment portal is not required.
Examples of some operations
Thus, on the portal you can get information on all operations of all customers who used pay.ptclick.com.ua - payments for utilities, Internet, mobile, Skype, etc.:
I sent the letter about this situation several times; the first message to the bank at the found addresses was sent by me in the first days of October, two months ago.
Initially, I asked the responsible specialist to contact me, without specifying specific information about the error, so as not to spread it among those who should not know it.
But the Bank constantly received an answer in the spirit of “In order for our representative to contact you, please indicate your contact details and the time when it will be convenient for you to receive a call” (that is, my mail is not enough to communicate, they need phone).
Later, shortening the links via bit.ly (allows you to see how many people click on them), I pointed out exactly where the problem is. To date, each of the links was about 6-7 transitions.
Interestingly, the first link transitions were made only on October 17-18, when I once again reminded of the problem, and not at the beginning of October, when I wrote them for the first time.
It follows that the first messages with links about the error, sent by me in early October, were not transmitted to the responsible persons for about two weeks.
Then there were the rest of the referrals — in November, namely the day after I remembered the problem, I found a working e-mail for the manager who is responsible for this portal, and sent a letter to him personally.
The bottom line: in spite of my notifications about the problem through different channels, the error so far, two (!) Months after the first report, Platinum Bank has not been fixed.
Source: https://habr.com/ru/post/314734/
All Articles