Full Disclosure mailing list archives
Re: Privat24 (Facebook version) bypass of static password for accounts of PrivatBank (Ukraine, Russia and CIS)
From: "MustLive" <mustlive () websecurity com ua>
Date: Tue, 19 Oct 2010 22:06:07 +0300
Hello Andriy! It's interesting issues in Privat24 (Facebook version). Which concerns all users of Privat24, not only users of Privat24 for Facebook, but especially concerns users of Privat24 for Facebook, because against them there are many attack vectors. Besides phishing attacks, there can be made attack (with vulnerabilities #3,4 in you list) on users of Facebook, which are using Privat24-Facebook client, and this attack will not require any social engineering. When user linked his Facebook account to his Privat24 account, for attacker it'll be needed only to compromise his Facebook account to get to all his financial information and credit cards. For which holes at Facebook can be used (and there are many such ones as it's well known). Note that the issue with sms (vulnerability #1 in you list) is similar to issue of Privat Bank's LiqPAY, which you disclosed earlier this year (http://www.securityfocus.com/archive/1/510284). And if they fixed issue with sms in case of LiqPAY (in a five days after your disclosure), then they didn't fix it in case of Facebook version of Privat24. Which is strange, because they could quickly fixed text of these sms-messages, as they early did for their LiqPAY system. At least there was an effect from your informing and disclosing of hole in LiqPAY ;-) - Privat Bank fixed it. This is that rare case when they fixed the holes which they were warned about. Because they ignored all my warnings to Privat Bank during 2008-2010 about multiple vulnerabilities at many of their sites (and so didn't answer and didn't fix the holes). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua [Full-disclosure] Privat24 (Facebook version) bypass of static password for accounts of PrivatBank (Ukraine, Russia and CIS) Andriy Tereshchenko tag at 24.odessa.ua Sun Oct 10 23:27:52 BST 2010
1) Affected Service * Privat24 application in Facebook created by PrivatBank, Ukraine 2) Severity Rating: Moderate (need user actions or access to mobile phone) Impact: Exposure of sensitive financial information and unauthorized payment transactions Where: Remote (man in the middle), Local (removed authentication factor)
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Privat24 (Facebook version) bypass of static password for accounts of PrivatBank (Ukraine, Russia and CIS) MustLive (Oct 19)