Full article

Don't phish me, dear bank.

With so many vulnerabilities floating all around us, this is one of its type. This vulnerability has no impact on the user information, bank servers, data but still can be leveraged to perform tricks on the end-users. What if I ‘use’ this vulnerability (design-flaw) to phish end-users? Will they trust it? I think yes they will, as it is arriving from legit website so you have full rights to trust the relationship and messages it throws on you.

UPDATE: This vulnerability has been addressed. Please read the Kotak’s message at the end of this blog. For information, continue reading.

The website that is in discussion is of an Indian bank – Kotak Mahindra Bank. As a bank, I would highly recommend it; great services with amazing potential to grow! They have a secure interface for net banking and net cards, but nevertheless, missed out a bit on the error message flow design.

Let me take you through the process of login into Kotak Bank.

Okay, so you are clear with the authentication links and possible flow. Now, lets focus on the OTP generation page which takes no input (from text box) but a click at ‘Generate the access code‘. Once you click the link, it will generate a code & send to your mobile number, or an error message as per the information supplied on the previous page.

But how is the error message pop-up works? It gets the response from the server and appends it in form of GET request in URL. So, ideally if the error message is ‘Sorry the access code can’t be generated.’, the URL will look like –

hxxps://www.kotak.com/pg/GeneratePin.jsp?flagvalue=NNA&ErrorMsg1=Sorry%20the%20access%20code%20can\’t%20be%20generated%2E

I hope you get it what I mean to say. Yes! we can surely customize the error message thrown by the server (at least that what it looks like). Now, what can be the problem with this? To address the problem statement, and security concern let us assume a scenario –

Let us say ‘Alice’ receives an email from a spoofed or look-alike email address ([email protected]) and the contents of the email (the links can be more obfuscated or shortened) are,

Dear Alice,
This is to bring to your kind attention that we have encountered the usage of your account from other geographical location. This can be a legitimate activity but to validate we need to know your current location. Please generate a new access code, and we will map your current location.

If the location doesn’t match the last stored location, we will ask you to login to our ‘secured page’ for further actions. Kindly co-operate and sorry for resulted inconvenience.

This is for the security of your account, and requires a quick action. Please click the link below,

hxxps://www.kotak.com/pg/GeneratePin.jsp?flagvalue=NNA&ErrorMsg1=Dear%20Alice%2C\nYour%20last%20account%20access%20is%20not%20matched.\nPlease%20close%20this%20page%2C%20and%20login%20to%20www.kotak-security.example.com%20to%20update%20your%20settings%20immediately.\n\nBest%20Wishes%2C\nKotak%20Mahindra%20Bank

Regards,
Kotak Mahindra Bank

What do you think is breaking here?

Alice trusts the bank website! When Alice will click on the link, it will throw the message box with our customized message. And if the user doesn’t have security awareness, chances are he/she will do as communicated. Alice will think that the message is on a legit website and by the legit website. Bang! Game Over.

Conclusion
I think the critical websites, specially if they are dealing with financial information should surely address such design flaws, and make sure there is now way a malicious user can use their design to fool its victims.

Kotak should fix this before it falls in the hands of wrong people.

UPDATE: Some readers had a doubt that I didn’t inform about this flaw to Kotak Bank, before doing a public disclosure. Here is a snapshot of one such email I sent earlier to Kotak Bank.

9th November, 2012: Kotak’s Quick Response & Fix

In the light of recent news of a possible breach of security and customer exposure to vulnerability on our netbanking site, we would like to assure our customers that your accounts will not be affected in any manner whatsoever and your netbanking transactions are not exposed to any risks. The articles and tweets brought to our attention a vulnerability which could lead to a possible security breach. However, after having checked with our internal cyber security experts we assure you that there is no actual possibility of a security breach on the Kotak netbanking/payment gateway as a result of this vulnerability.

While we do acknowledge the presence of this vulnerability on our netbanking site, we would like to reiterate that this vulnerability is in no way harmful to your netbanking experience on our website and neither does it pose any possible security threat to your account. We are thankful to those who brought this issue to our notice and have fixed the vulnerability. We offer our sincerest apologies to our customers for any inconvenience caused and we reassure you that Kotak netbanking is a safe and secure service.

For any further questions or queries that you might have, we request you to kindly get in touch with us by emailing us on the following address: [email protected]

Thanks Kotak for the immediate fix and the public acknowledgement. The security community always appreciate it. Cheers!



Comments