The other day I was browsing through a very renowned and govt. owned bank’s website, one of the largest bank of India. while browsing I thought “Is it possible that this website has some vulnerability that will take me to their database?” so, I decided to find out, links after links, pages after pages tested, but no luck then after 2-3 hrs of continuous testing, finally I found one link which has the characteristics of SQL Injection.
So now I had a link with Sql Injection in it, “What’s Next”, so I decided to take this thing one step further and created a Payload and decided to exploit this vulnerability. To my surprise finding the Vulnerable link was only the difficult part, exploiting the database was piece of cake. Now i was into a database of one Nationalized bank. after playing with it for few mins, I decided to inform the bank authorities about this vulnerability.
I wrote a mail to CIO keeping COO, CTO and CEO in CC and thought they will take care of this and will patch it. But again to my surprise when I tested the same link after 10 days, the vulnerabilities were as it is. So I thought to update about this again this time via twitter.
I got their reply after 6 days even on twitter, saying they’ll look into this matter. and the vulnerability is still intact.
After all this I was forced to think that “Why most of the People in India are not much concerned about their online security? Even when some one points out some vulnerability in their system.”
If you have any answer I’d love to hear that.
Omkar Nisal
Ombudsman is who you should contact with the imp people in cc.
It really scares the shit out of banks.
Really.
https://en.m.wikipedia.org/wiki/Banking_Ombudsman_Scheme
Omkar Nisal
And yeah you can earn some money as reward as well. Long live the #EthicalHacker
Ashish Katkar
Hi Peeyosh,
Try reaching out to CISO in the bank as ensuring information security would be under his remit. Hope he takes it up seriously and pushes technology team to plug the issues.
Meanwhile I would also suggest you to avoid this strategy with banks as it could boomerang if banks decides to pursue it as a hacking case against you. If there systems/server go down or data gets corrupted during such an attempt they could file a case and pursue the matter legally in-spite of their systems being vulnerable.
The normal process followed in the banking industry is to seek prior permission and then attempt ethical hacking. Avoid twitter or such social mediums to highlight issues.
You might or might not agree with my suggestion but thought of sharing my view.
Cheers – Ashish
Peeyoosh Kumar
Thanks Omkar for the reply, will definitely use your suggestion next time. 🙂
Cheers.
Peeyoosh Kumar
Hi Ashish,
Thanks for the reply, yes I agree with your concerns. will surely keep this thing in mind, but everyone asks for POC (proof of concept), if you simply approach them. So we take all precautions and as soon as we find any vulnerability we report it to the concerned authority. With proof so that they can patch it before some malicious user do some damage.
But will surely keep every word of yours in mind.
Cheers.
Peeyoosh
Sushrut Munje
Hey Peeyoosh, tried this again? Are they responding now?
Peeyoosh Kumar
Hi sushrut, last response i got from them was, they will look into this matter. But I am sure that its not been patched. Will check again.
Mithilesh Jindal
Hey peeyosh, can you send me the name of the bank. I can give you the mail id of the system administrator if possible.
Rakesh Chavan
In current scenario, the fastest way to get reply is to escalate the matter thro the following web site
https://pgportal.gov.in/Grievance.aspx
Select dept of financial services banking division.
U will be heard prompto….