.png)
2 months ago
31 BOOK THIS SPACE FOR AD
ARTICLE AD
IDOR x Bank = Exposed bank balance.
Alright people, let’s do this one last time.
I’m Manav Bankatwala, and I’m a security researcher. I’m not sure what kind of radioactive spider bit me, but it gave me the power to see security vulnerabilities everywhere.
The vulnerability I am describing in this writeup is quite old, which I found way back when I was active in bug bounty. Imagine you are asking for money back from your friend, and he/she says, I am broke. But you found out that he/she is lying because you can hack into and see the actual bank balance of your friend. Ahaa, you got him.
It’s a very simple vulnerability, but due to the impact I feel to write about it. So, the vulnerability here we are talking about is an IDOR (Insecure Direct Object Reference). I found this vulnerability in one of India’s fastest-growing digital banks. With this IDOR, I was able to see the actual bank balance of any user using their bank account number. Yes, you heard that right. Maybe I saw your bank balance? Haha😉
So, every month I download my bank statements to see the expenses and manage them. One afternoon, after hunting on a bug bounty program, I thought to log into my bank account and download my statement. But after completing the whole statement download thing, I realized that I forgot to turn off the interception proxy. Due to this, all the requests were captured. I thought to just let it go, but it made me curious and think if I could find any security vulnerability, and I did find it.
I didn’t want to do much aggressive testing and things like that, so just to keep it simple, I decided to look for IDORs in all the API requests that have account numbers as a parameter.
Opened the burp suite search tab.I entered my own account number, which gave me a list of endpoints where my account number was provided as a parameter.Out of all, I found an API endpoint at /api/account/v1/m-balance.It was a post request, and the JSON body was having my account number.5. I sent this request to repeater and changed the last two digits of my account number. Upon sending, instead of an error, it gave me the balance of another user bank account number.
To further test this, I simply sent the request to the intruder and iterated a list of bank account numbers. And ya, I got the bank balance of all the users with just one click. Without wasting time, I made a report and submitted it to the authorities.
But guess what? Banks don’t think that account balance is a sensitive thing to get exposed to. The replied, “Through an API, an authenticated user can only enumerate the balance of an account number; no other customer details are exposed through an API. After analyzing the issue, we have categorized it as of ‘Low’ severity.”
Do you think that bank balance exposure is really not a concern? It’s like posting your bank balance on a notice board. Are you okay if your bank balance is listed on that notice board where anyone can see it? Let me know what are your views on this and in what more this could have been exploited. Until that, adiós
https://www.linkedin.com/in/manavbankatwala/
Bengali (Bangladesh) · 
English (United States) ·