Password Reset OTP Bypass Critical Vulnerability in YesBank Banking Application

I am a customer of YesBank and I hold my savings account with them. I also use the YesBank’s online banking application and I strongly feel that they need to look into security of the application of the bank. So, as a responsible client, I disclosed the vulnerability to YesBank which I recently found in their application. And I would like to thank YesBank for fixing this issue immediately.

For those who do not know about YesBank, you can read about the bank on wiki.

YES BANK is India’s fifth largest private sector Bank, founded in 2004. Yes Bank is the only Greenfield Bank licence awarded by the RBI in the last two decades. YES BANK is a “Full Service Commercial Bank”, and has steadily built a Corporate, Retail & SME Banking franchise, Financial Markets, Investment Banking, Corporate Finance, Branch Banking, Business and Transaction Banking, and Wealth Management business lines across the country.

Introduction

I regularly perform the penetration testing on applications at SecureLayer7 and recently, I stumbled on a very simple bug in the YesBank online banking application (referred as YesBank in the remaining article). In general, YesBank provides a good number of features to million of banking users. Among these features, I found that the user account password reset feature was vulnerable to one of the OWASP’s Top 3 vulnerability, i.e. Injections.

This vulnerability is caused by poor input validation of the application. Consequently, attacker can use this vulnerability to bypass the OTP process to reset the bank account password. To exploit this vulnerability, attacker requires the information of the victim bank account. This information includes, for example their ATM number, ATM Pin, etc.

Several Indian banks are issuing an advisory to their customers, asking them to change their security code (more popularly known as ATM pin) or better replace the card, by Indian media reports

Once the attacker gathers all the information required to exploit this vulnerability, he can gain the access to the Online Banking Application account by resetting original password of the user.

The Proof of Concept

To execute the payload successfully switch OFF or turn ON the flight mode of the mobile. (Banking user information is blur for security reasons)

 

Vulnerability Timeline:

1) Vulnerability reported on 21st of Sept, 2016 to YesBank

2) Re-tested Vulnerability on 20th Oct, 2016. Found patched.

Takeway:

I always recommend to implement the universal input validations for the commonly known vulnerabilities, especially banking application should have all types of input validations on the un-trusted user inputs.