Privat24, the mobile banking application for Ukraine’s largest commercial bank, contains an insufficient validation vulnerability in its iOS, Android, and Windows phone apps that could give an attacker the ability to steal money from user accounts after bypassing its two-factor authentication protection.
The process validation issue arises from a problem in the way PrivatBank has configured the server that handles all of its mobile banking clients. On his website and on the Full Disclosure mailing list, security researcher Eugene Dokukin explains that this vulnerability allowed him to bypass Privat24’s one-time password (OTP) mechanism. However, Dokukin needed to string in a second attack in order to compromise the banking application completely.
Ideally, Private24 should send an OTP to users via standard messaging service each time he or she logs in. However, in reality, the bank is only sending this code to users when they initially install the application on their Android, iOS, or Windows mobile device. Once the application is installed and verified with the initial OTP to a particular device, users can access the application without overcoming that barrier of entry again. For the PrivatBank website on the other hand, the bank sends a new OTP each time a user attempts to log in.
PrivatBank protects its users’ accounts with their mobile number – as a username or account number – and a password. So users would need their password to log in with or without the OTP. Dokukin’s attack therefore is a tricky one. An attacker would need a second attack, perhaps using malware or some sort of phishing scheme, to ascertain a user’s account password before being able to compromise the application and potentially steal money.
Dokukin said he contacted PrivatBank and reported the vulnerability to them. They confirmed the problem to Dokukin but have yet to fix it. The researcher has not yet released all of the technical details explaining how this attack works, but says he intends to do so once PrivatBank updates their applications with a patch fixing the bug.
Threatpost reached out to PrivatBank as well, but the company did not respond to a request for comment at the time of publication.