The Inside Story of Finding a Reverse Transaction Vulnerability in a Financial Application

Hello everyone, my name is Raja Uzair Abdullah and I’m an Application Security Engineer. With my focus on penetration testing and bug bounty, I have had the opportunity to report Security vulnerabilities with top tech giants such as Google, Microsoft, Apple, Sony, Stripe, and more.

Having worked extensively in the application security domain, I’m always eager to learn new things and expand my knowledge in this exciting field. When I’m not finding vulnerabilities and reporting them to reputable organizations, I work as a full-time application security engineer, where I get to apply my expertise to secure various applications.

In this blog post, I will be sharing my recent findings that I discovered in an application’s send money feature which resulted in reversing the feature’s purpose. I hope you find it informative and insightful.

I recently had the opportunity to test the security of a mobile banking app. While conducting a security assessment on a mobile banking application, I identified a significant vulnerability within its money transfer functionality. The flaw permitted me to exploit the application’s send money feature, enabling me to conduct unauthorized and reversed transactions.

It all started when I proxified the mobile application using Burp, a popular web/mobile application testing tool. After logging in to the application using a valid credentials, I navigated to the Payment section and selected Send Money.

Next, I entered a valid mobile/Account number and confirmed the amount I wanted to transfer then intercepted the request using Burp which included a “referenceNumber” field which by name that serves to identify that it is use to recognize which account is sending money and a field name “destinationReferenceNumber” which by name that serves to identify that it is use to recognize which account is receiving money.

Original Request:

Here comes the tricky part. I swapped the “referenceNumber” field with the “destinationReferenceNumber” field, which resulted in the flow being reversed and to my surprise, I received a 200 OK Response from the Server with the message “Request Successful”. This meant that instead of sending money from my account to the victim’s account, I was able to receive money into my own account.

Modified Request :

It’s shocking how easy it was to abuse the sending money feature of this banking application. But it makes you wonder, how many other apps out there have similar vulnerabilities just waiting to be exploited?

In conclusion, it’s crucial to keep security in mind when building and testing applications. As users, we should also be cautious and vigilant when using these apps, especially when it comes to financial transactions.

As an employee of the company that owns the in-house application, no external reward was given to me for finding the vulnerability as it was part of my job responsibilities.

Thank you for taking the time to read this article. I hope that it provided valuable insights into the world of application security testing, and the importance of thoroughly testing mobile banking applications to identify and address vulnerabilities before they can be exploited by malicious actors. As always, I remain committed to continuing my work in this critical field, and I look forward to sharing my findings and experiences with the broader community in the future.

As a professional freelance penetration tester, I am passionate about helping organizations to identify and address security vulnerabilities in their systems and applications.

If you are interested in learning more about my services, please feel free to visit my Upwork Profile to review my qualifications and past projects. I would be happy to discuss your specific security needs and explore how I can assist you in ensuring the protection of your critical assets.

Please do not hesitate to reach out to me if you have any further questions.