SberShift: press five times and get into the system

Remember one of those most annoying features of Windows, especially familiar to gamers, when pressing the Shift button five times brings up a special window offering to enable sticky mode? This "feature" lived right up to Windows 10, by the way. Well, I, standing at the Sberbank terminal with a full-sized keyboard and waiting for the operator to answer the phone, decided to press this Shift out of boredom, naively believing that without function keys this would lead to nothing. No matter how wrong! The five-fold quick press of this key gave me that little window, besides exposing the taskbar with all the banking software. By stopping the batch file (see the taskbar in the video below), and then the entire banking software, you can break the terminal.



“This is for myself” - I thought and tried to report a problem found. I had such a desire for the first time, so I didn’t think of anything better than to contact a Sberbank employee asking who to report to. The girl rather reluctantly answered that she didn’t know anything, when asked questions about how to contact her superiors, answered with laconic silence and advised her to contact customer support by phone written on the terminal itself. Okay, call. Unfortunately, there is no call recording, only a picture screenshot with the date of the call remains.


')
In technical support a friendly girl after I said that I wanted to report a vulnerability, immediately switched me to some other specialist. He first asked how I could contact the terminal number, then the essence of the problem, then I listened to music for a long time, and in the end, the guy said that the problem was fixed. On the question of whether any bonuses rely for reporting such problems, he replied that he did not have such information. At that, the conversation was over, but I decided to try my luck for the third time and turned to a girl who helps clients with terminals. She also looked at the pop-up window, after which she advised to call the collectors, and I received vague answers to the request to give their number.

All this happened on the sixth of December. Two weeks later, I decided to check what was there with the terminal. After all, after all, they said that they had “fixed” the problem, they probably should have fixed it already, but no - it is still there, the window still pops up. I am not an expert in the field of information security and I can not judge how much damage this “feature” can cause, but judging by the sluggish reaction - no. Therefore, following the fact of the inaction of Sberbank, I report a cheerful SberShift ’action to you, dear habrovchane.

UPDATE from 12/29/2017
TL; DR: fixed the vulnerability, the window no longer opens. Checked in person. For this they gave a diary and cardholder.

One day after this post, a person representing Sberbank contacted me via e-mail from the sberbank .ru domain, who was going to “raise the question of the quality of the consultation and check where the pending question had flown”. The contact asked for my phone number and the date on which the appeal was made. I told him this data, and a day after that it was reported that the staff of Sberbank was already correcting the problem.
Then, on December 22, a cell phone call from a local branch of Sberbank asked me to come to the head office for an “apologizing gift”. A corporate diary and a wallet for bank cards were presented as such a gift. On the same day, I was not too lazy and went to “visit” the terminal of Sberbank, poking Shift again. There was no reaction, and therefore the problem was solved.

Today Sberbank contacted me and asked me to write this update. Honestly, I had long intended to do this, but my studies were constantly distracting. Today was a free day. Actually, I quote with preservation of spelling the comment of Sberbank, which the company asked to add here:

This information is no longer relevant today. To date, the described vulnerability has been eliminated at all similar Sberbank information and payment terminals equipped with an extended full-size keyboard. We also note that the described vulnerability did not bear any risks to the security of devices. The protective equipment used does not allow any illegal actions at the terminal or ATM, which could harm customers or the bank.
In this case, we are grateful to our customers for their attentiveness and feedback on the detected features of the configuration of our systems. In turn, we try to respond as quickly as possible and take into account your wishes regarding the operation of all our systems and services.