Andriy Tereshchenko
2010-10-10 22:27:52 UTC
1) Affected Service
* Privat24 application in Facebook created by PrivatBank, Ukraine
2) Severity
Rating: Moderate (need user actions or access to mobile phone)
Impact: Exposure of sensitive financial information
and unauthorized payment transactions
Where: Remote (man in the middle), Local (removed authentication factor)
3) Vendor's Description of Service
"Privat24 application in Facebook allows to view bank statement recent
transactions on all your PrivatBank cards and account, refill mobile
phones balance. More services to be added in future."
Product Description Link:
http://privatblog.com.ua/?p=269
Actual Product Link:
http://apps.facebook.com/pb_transactions/
4) Description of Vulnerability
During registration process Facebook application ask for one-time-password from
SMS message sent to mobile phone of registered Privat24 user.
Once user name supplied proper OTP from SMS - his Facebook account ID is linked
to ID of PrivatBank client.
Vulnerabilities are:
1. SMS messages are not tagged in any way that they are from
Privat24 (Facebook) system and no risks are described to client on
disclosure of this OTP.
2. Secondary (mandatory) factor currently used on original
non-Facebook Privat24
system ( http://privat24.ua ) is not used in this version of application.
3. Once linking/authorization process is done - no future SMS codes or
passwords
are needed to access application others that Facebook account login/password.
4. Client has no control on which Facebook accounts are linked to his
financial information.
Exploitation scenario:
Attacker create fake Facebook accounts and link them to ID of Privat client.
In order to link attacker need short-term access to the mobile phone
(in order to receive SMS code)
or setup fake website to ask for code from SMS (ex. eurovoice.tv SMS best-song
voting process).
After linking - attacker can access balances and statement on last transactions
from all accounts of PrivatBank client.
As well attacker can make small (tested are ~10 UAH) payments without any
SMS passwords.
5) Solution
a) SMS messages from Privat24 (Facebook) system should be tagged properly
in order to allow users clearly identify service and website URL of SMS origin.
b) SMS codes should be requested on each login to Privat24 (Facebook)
application (at least once per day) or SMS notification be sent on login.
c) Static (existing) password factor should be used in order to link Facebook
account to client ID or visit to ATM for extra password is
acceptable solution.
Temporary solutions for current users offered by Rakaev Rostislav
from bank support:
Option 1: Protect your mobile phone using PIN/password from usage by
wife/husband or co-workers. Never give it to unknown people.
Option 2: Blacklist own phone-number for usage in PrivatBank Facebook
applications by contacting 0 800 500 003 (for Ukraine)
or online-chat support.
6) Timeline
Postal mail letter addressed to author by PrivatBank from 03.05.2010
No. 30.1.0/2-100412/1849 describe intentions of PrivatBank to restore extra
login factor (static password).
Phone call from bank Security Department (Dnepropetrovsk) on 07.10.2010
with apology on inability to address issues due to conflict of interests with
Electronic Business Department. Insecurity accepted as trade-off.
7) Credits
Discovered by client of PrivatBank.
8) About
The Commercial bank PrivatBank (Ukraine) was founded in 1992. Its
services are used by more than 23% population of Ukraine population.
PrivatBank currently serves 420 thousand corporate clients and small
businesses, and over 13 million individual accounts.
Moscomprivatbank Joint Stock Co. is subsidiary of PrivatBank.
It has about 1.5 million credit cards issued.
Privat24 is online-banking system used by more 1 million clients in Ukraine,
Russia and CIS.
9) Links
Privat24 (Facebook version)
http://apps.facebook.com/pb_transactions/
Vendor announcement of service
http://privatblog.com.ua/?p=269
Existing Privat24 system
http://privat24.ua
--
Andriy G. Tereshchenko
Odessa, Ukraine
+380683777768
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
* Privat24 application in Facebook created by PrivatBank, Ukraine
2) Severity
Rating: Moderate (need user actions or access to mobile phone)
Impact: Exposure of sensitive financial information
and unauthorized payment transactions
Where: Remote (man in the middle), Local (removed authentication factor)
3) Vendor's Description of Service
"Privat24 application in Facebook allows to view bank statement recent
transactions on all your PrivatBank cards and account, refill mobile
phones balance. More services to be added in future."
Product Description Link:
http://privatblog.com.ua/?p=269
Actual Product Link:
http://apps.facebook.com/pb_transactions/
4) Description of Vulnerability
During registration process Facebook application ask for one-time-password from
SMS message sent to mobile phone of registered Privat24 user.
Once user name supplied proper OTP from SMS - his Facebook account ID is linked
to ID of PrivatBank client.
Vulnerabilities are:
1. SMS messages are not tagged in any way that they are from
Privat24 (Facebook) system and no risks are described to client on
disclosure of this OTP.
2. Secondary (mandatory) factor currently used on original
non-Facebook Privat24
system ( http://privat24.ua ) is not used in this version of application.
3. Once linking/authorization process is done - no future SMS codes or
passwords
are needed to access application others that Facebook account login/password.
4. Client has no control on which Facebook accounts are linked to his
financial information.
Exploitation scenario:
Attacker create fake Facebook accounts and link them to ID of Privat client.
In order to link attacker need short-term access to the mobile phone
(in order to receive SMS code)
or setup fake website to ask for code from SMS (ex. eurovoice.tv SMS best-song
voting process).
After linking - attacker can access balances and statement on last transactions
from all accounts of PrivatBank client.
As well attacker can make small (tested are ~10 UAH) payments without any
SMS passwords.
5) Solution
a) SMS messages from Privat24 (Facebook) system should be tagged properly
in order to allow users clearly identify service and website URL of SMS origin.
b) SMS codes should be requested on each login to Privat24 (Facebook)
application (at least once per day) or SMS notification be sent on login.
c) Static (existing) password factor should be used in order to link Facebook
account to client ID or visit to ATM for extra password is
acceptable solution.
Temporary solutions for current users offered by Rakaev Rostislav
from bank support:
Option 1: Protect your mobile phone using PIN/password from usage by
wife/husband or co-workers. Never give it to unknown people.
Option 2: Blacklist own phone-number for usage in PrivatBank Facebook
applications by contacting 0 800 500 003 (for Ukraine)
or online-chat support.
6) Timeline
Postal mail letter addressed to author by PrivatBank from 03.05.2010
No. 30.1.0/2-100412/1849 describe intentions of PrivatBank to restore extra
login factor (static password).
Phone call from bank Security Department (Dnepropetrovsk) on 07.10.2010
with apology on inability to address issues due to conflict of interests with
Electronic Business Department. Insecurity accepted as trade-off.
7) Credits
Discovered by client of PrivatBank.
8) About
The Commercial bank PrivatBank (Ukraine) was founded in 1992. Its
services are used by more than 23% population of Ukraine population.
PrivatBank currently serves 420 thousand corporate clients and small
businesses, and over 13 million individual accounts.
Moscomprivatbank Joint Stock Co. is subsidiary of PrivatBank.
It has about 1.5 million credit cards issued.
Privat24 is online-banking system used by more 1 million clients in Ukraine,
Russia and CIS.
9) Links
Privat24 (Facebook version)
http://apps.facebook.com/pb_transactions/
Vendor announcement of service
http://privatblog.com.ua/?p=269
Existing Privat24 system
http://privat24.ua
--
Andriy G. Tereshchenko
Odessa, Ukraine
+380683777768
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/