LOL. It must be quite convenient to use banking alongside FarmVille. Shreyas Zare
Sr. Information Security Researcher Secfence Technologies www.secfence.com On Mon, Oct 11, 2010 at 3:57 AM, Andriy Tereshchenko <[email protected]>wrote: > 1) Affected Service > > * Privat24 application in Facebook created by PrivatBank, Ukraine > > 2) Severity > > Rating: Moderate (need user actions or access to mobile phone) > Impact: Exposure of sensitive financial information > and unauthorized payment transactions > Where: Remote (man in the middle), Local (removed authentication factor) > > 3) Vendor's Description of Service > > "Privat24 application in Facebook allows to view bank statement recent > transactions on all your PrivatBank cards and account, refill mobile > phones balance. More services to be added in future." > > Product Description Link: > http://privatblog.com.ua/?p=269 > > Actual Product Link: > http://apps.facebook.com/pb_transactions/ > > 4) Description of Vulnerability > > During registration process Facebook application ask for one-time-password > from > SMS message sent to mobile phone of registered Privat24 user. > > Once user name supplied proper OTP from SMS - his Facebook account ID is > linked > to ID of PrivatBank client. > > Vulnerabilities are: > 1. SMS messages are not tagged in any way that they are from > Privat24 (Facebook) system and no risks are described to client on > disclosure of this OTP. > > 2. Secondary (mandatory) factor currently used on original > non-Facebook Privat24 > system ( http://privat24.ua ) is not used in this version of > application. > > 3. Once linking/authorization process is done - no future SMS codes or > passwords > are needed to access application others that Facebook account > login/password. > > 4. Client has no control on which Facebook accounts are linked to his > financial information. > > > Exploitation scenario: > > Attacker create fake Facebook accounts and link them to ID of Privat > client. > In order to link attacker need short-term access to the mobile phone > (in order to receive SMS code) > or setup fake website to ask for code from SMS (ex. eurovoice.tv SMS > best-song > voting process). > > After linking - attacker can access balances and statement on last > transactions > from all accounts of PrivatBank client. > As well attacker can make small (tested are ~10 UAH) payments without any > SMS passwords. > > 5) Solution > > a) SMS messages from Privat24 (Facebook) system should be tagged properly > in order to allow users clearly identify service and website URL of SMS > origin. > > b) SMS codes should be requested on each login to Privat24 (Facebook) > application (at least once per day) or SMS notification be sent on login. > > c) Static (existing) password factor should be used in order to link > Facebook > account to client ID or visit to ATM for extra password is > acceptable solution. > > Temporary solutions for current users offered by Rakaev Rostislav > from bank support: > > Option 1: Protect your mobile phone using PIN/password from usage by > wife/husband or co-workers. Never give it to unknown people. > > Option 2: Blacklist own phone-number for usage in PrivatBank Facebook > applications by contacting 0 800 500 003 (for Ukraine) > or online-chat support. > > 6) Timeline > > Postal mail letter addressed to author by PrivatBank from 03.05.2010 > No. 30.1.0/2-100412/1849 describe intentions of PrivatBank to restore extra > login factor (static password). > > Phone call from bank Security Department (Dnepropetrovsk) on 07.10.2010 > with apology on inability to address issues due to conflict of interests > with > Electronic Business Department. Insecurity accepted as trade-off. > > 7) Credits > > Discovered by client of PrivatBank. > > 8) About > > The Commercial bank PrivatBank (Ukraine) was founded in 1992. Its > services are used by more than 23% population of Ukraine population. > PrivatBank currently serves 420 thousand corporate clients and small > businesses, and over 13 million individual accounts. > > Moscomprivatbank Joint Stock Co. is subsidiary of PrivatBank. > It has about 1.5 million credit cards issued. > > Privat24 is online-banking system used by more 1 million clients in > Ukraine, > Russia and CIS. > > 9) Links > > Privat24 (Facebook version) > http://apps.facebook.com/pb_transactions/ > > Vendor announcement of service > http://privatblog.com.ua/?p=269 > > Existing Privat24 system > http://privat24.ua > > > > -- > Andriy G. Tereshchenko > Odessa, Ukraine > +380683777768 > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
