Bruteforcing leaks Major Bank Customers sensitive information

vvek
3 min readSep 5, 2023

Hello everyone,

Hope you are doing good.In this article i gonna write about vulnerability which i found in one of India's major bank. This bank has around 100 Millions + customers .This vulnerability can cause serious impact on bank customers if used in malicious ways. Lets jump into story.

As i cant disclose name of bank lets say its example.com. I had an issue with bank account regarding transaction so i decided to raise a complaint for that. After finding the website link for lodging complaint its asking for Just account number .Here comes the thing as it doesnt have any captcha for restricting user from multiple requests.I thought how about firing up requests in burp suite.

  1. Opened the burp suite tool
  2. Sent the requests from abcd.example.com/complaint by entering my account number and mobile number and intercepted the requests
  3. From request i selected last three digits of account and started bruteforcing those digits .
  4. Guess what Boom 🥳 it has given 200 ok responses for valid account numbers with customers first name and last name and last four digits of mobile.

Out of 300 sent requests i got 120+ valid “200 ok”responses which is enough for bruteforcing in large scale as ip address is still not blocked.

Image shows Bruteforcing account numbers leaks information of users with out restriction of blocking ip address.

Impacts:

1.Brute forcing by malicious users in Large scale leaks 100M + customers first name, last name ,Full account number and last four digits of mobile number as there is no rate limiting on requests .

2.Even though it has less probability but this can leads to serious impact by phishing techniques of calls pretending to be bank confirming their account number first name, last name if figured out finding the contact number .But here challenge is how we get full mobile numbers 🤔.Use Osint techniques from first name, last name we found through leaking from responses and gather as much information from Internet .There is high chance of finding out their social media ids. From there you need to start thinking in black hat way to grab their personal information's .

Fix: Install Captcha on your website.

Captchas be like

Hope this helps in learning even small captchas helps from breaches and acts as linchpin.

Giveaway: Although it seems funny here but Banks never calls asking for any personal information such as PIN, Otp’s, Passwords etc.

Reported to bank ,no response from other side and fixed after few days with out response.

Thanks

Vvek

--

--