What's new
By:
Filters
Runion

This is a sample guest message. Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox!

Статья EvoBanco - Vulnerability

R

R4nsom

Light Weight
Депозит
$0
The funny story of a rogue CISO:

Hello friends, today I bring you a new adventure that I have been living with a CISO of a Spanish bank (EvoBanco) in recent days,

A while ago while I was enjoying the internet, we found a vulnerability in the evobanco registration process, during the creation of a user account, we realized that the server made a GET request prior to the redirection process which made a check in based on the IDE, the IDE is the identifier of each user in the bank, for example if you registered on 04/21/2024, an IDE-XXXXXX was assigned to you from the registration (when entering the NIF and TLF) and it was saved in the database, if on 04/22/2024 you wanted to continue with the registration, the bank sent a request to the server asking for your IDE and to know what process you were in, in this process 2 failures were detected.

The first flaw was simply that anyone could do a GET even if the IDE was not theirs. For example, if user A asked for user B, the server gave them all the data of user B.

This seemed to be safe in view of "bruteforce" or "over requests" since the request worked based on a bearer they gave you. But there was 1 error, it worked without a bearer.

To my surprise, and after opening a couple of beers, we identified that these fools followed the same pattern for GET requests, something like IDE-0XXXX to IDE-6XXXX, well easy, with a brute force attack we got all the users, clients and employees registered in EVOBANCO, with their telephone number, ID, psd2 account number, account number, address, salary, job... something catastrophic.

We were thinking about different ways before bruteforce since there would be many requests to a bank but yes, they allowed us to make around 6-7M requests without any type of problem. (thanks to the responsible sysadmin)

Last week we contacted Jaime, the CISO of Evo Banco, we only wanted to negotiate with him a decent exit for his entity since we had more than a million records of his clients and employees and we wanted them to be responsible for it. .

To our surprise, he wanted to be smart and didn't contact us, so these are the consequences of his arrogance.

What happens if we still do not receive communication from EvoBanco? First here we have a sample of 500 records, every day that we do not receive communication we will begin to expose more Evo Banco clients. pass: xss.is

Please EvoBanco take responsibility for your actions, we cannot allow such major failures to occur and act crazy when they are the trust of many Spanish families and companies that trust in their security and modernity, we regret what happened to all clients, families... and I hope the bank pays for this.

Best Regards - R4nsom
 
Firstly it is important to emphasize that this data is not being sold to third parties or any company, please do not write to the private trying to buy it, we just want EvoBanco to be responsible PUBLICLY and not “inform” only to some customers.

I have already seen that you have fixed the vulnerability, congratulations after almost 1 month you have taken action on the matter. And don't deny it please, you know that all the personal data comes out even if the user has cc in that account or not and even the beginning of the contract.

On the other hand, why don't you say how easy it is to get the credit card of each client of your bank by logging in by subdomains, you deliver the entire CC and expiration.

Finally here are another 500 customer data, stop making shitty post on twitter and give the face merluzos.

pass: xss.is

Hello here again, while i was eating a kopobka I have been reflecting and I think that people don't understand what we are getting at with this, we are in front of the magnificent work of evasion of responsibility of a bank and its workers that are so well paid (+10k/month)

EvoBanco I sent you an email the first time I found the flaw and you decided to ignore the email and your CISO was still busting his balls. After 2 weeks I proceeded to send an SMS to the CISO and explain what was going on, he did not want to contact us in any way. This is curious because they say that they are the bank of the future.

These data have been obtained in a non-illicit way, you delivered them yourselves, curious isn't it? I was looking for my lost record in 2020 and I had to take a couple more ahead, nothing else.

I feel sorry for the bank's customers as many people can't even make transfers or send bizums or anything because of your silly “security measures”.

You are preferring that your customers get hurt so I have changed my way of thinking, from now on every day I will publish a list of high ranks of the bank and workers starting with you Jaime.

I just want you to admit the mistake you have made and get to have a conversation with you by the qTox that your good employee already has in his SMS inbox, I hope he has paid the line with those +10k per month.
Последнее редактирование модератором: 25.04.2024
 
Hello here again, while i was eating a kopobka I have been reflecting and I think that people don't understand what we are getting at with this, we are in front of the magnificent work of evasion of responsibility of a bank and its workers that are so well paid (+10k/month)

EvoBanco I sent you an email the first time I found the flaw and you decided to ignore the email and your CISO was still busting his balls. After 2 weeks I proceeded to send an SMS to the CISO and explain what was going on, he did not want to contact us in any way. This is curious because they say that they are the bank of the future.

These data have been obtained in a non-illicit way, you delivered them yourselves, curious isn't it? I was looking for my lost record in 2020 and I had to take a couple more ahead, nothing else.

I feel sorry for the bank's customers as many people can't even make transfers or send bizums or anything because of your silly “security measures”.

You are preferring that your customers get hurt so I have changed my way of thinking, from now on every day I will publish a list of high ranks of the bank and workers starting with you Jaime.

I just want you to admit the mistake you have made and get to have a conversation with you by the qTox that your good employee already has in his SMS inbox, I hope he has paid the line with those +10k per month.
 
Hello, good Spanish readers i want you yo know that the people who are selling the database are all scammers please do not speculate that it's me

Greetings to fer from linkedin

CISO: IDE-03010616;47284129Q;1988-11-23;661446710;661446710;JAIME CASTRO MONTERO;jaime1988@gmail.com;ES5502390806782444193524;;ES5802390806792444193615;;ES2702390806712444193789;;ES3702390806792444193896;;ES4502390806782444193995;;2800;12;PROFESIONALES DE LA EDUCACIÓN, SALUD, CIENCIAS E INGENIERÍA;CALLE DEL MONASTERIO DE LAS HUELGAS, 20;28049

CEO: IDE-03543733;07212941A;1964-02-11;689797108;689797108;GREGORIO EDUARDO OZAITA VEGA;eozaita@gmail.com;ES9402390806702586902427;;ES9702390806712586902518;;ES2302390806792586902682;;ES7602390806712586902799;;ES8402390806702586902898;;10000;14;EMPLEADOS EN DEPARTAMENTOS CENTRALES Y/O ATENCION AL PÚBLICO;CALLE DE BUESO DE PINEDA, 10;28043

Call them if you do not hear back from the service support to complain about fraud attacks.
 
R4nsom сказал(а):
Hello here again, while i was eating a kopobka I have been reflecting and I think that people don't understand what we are getting at with this, we are in front of the magnificent work of evasion of responsibility of a bank and its workers that are so well paid (+10k/month)
Click to expand...

chill bro, banks' management never care and always act like this because they think they are too big to fail (and most often they are )
you might try to tell your next target something like this: "I am a gray-hat hacker and sell the info to whoever pays, so either you pay me for the information on how to fix your vulnerabilities or I sell your clients data to the russian hackers"
 
CIO: IDE-04890223;70475529X;;;663795057;RUBEN ANDRES PRIEGO;victoria.priego.s@gmail.com;;12000;12;DESCONOCIDO;CALLE AGUAMARINA, 34;28905 (+12k/m)

CFO: IDE-03563329;33508564W;1970-04-11;647357887;647357887;BEATRIZ DE MENDOZA RODRIGUEZ;bdemendo@bankinter.com;ES0401280051260101836443;;ES2502390806732603096120;;ES2802390806742603096211;;ES9102390806772603096385;;ES0702390806742603096492;;ES1502390806732603096591;;2000;14;DIRECTORES, GERENTES Y/O PERSONAS CON RESPONSABILIDAD PÚBLICA;CAVANILLES, 25;28007
 
With this last post I close the article, as evidence for future problems in the bank, it should be noted that I was watching different cases and I admire how Carrefour Pass (a financial company) took action and how a bank is taking it instead, informing by email not with the notice of the breach, but that they had an “urgent” notification in the electronic banking tray.

A salute to Adri one of the biggest misinformers of twitter together with 3Sp3cT3 to see if this attention gives you to eat a few days.

I feel sorry for all customers and anyone who wants to talk about it I leave my qTox in case you want to know what kind of information has leaked yours.

Good night and see you next time
qTox: C5756B5236FD02730AFA341B15A0BA3A20B0B649624994DB907151C9C00E886B7509BB6D2C00
 
R4nsom сказал(а):
The funny story of a rogue CISO:

Hello friends, today I bring you a new adventure that I have been living with a CISO of a Spanish bank (EvoBanco) in recent days,

A while ago while I was enjoying the internet, we found a vulnerability in the evobanco registration process, during the creation of a user account, we realized that the server made a GET request prior to the redirection process which made a check in based on the IDE, the IDE is the identifier of each user in the bank, for example if you registered on 04/21/2024, an IDE-XXXXXX was assigned to you from the registration (when entering the NIF and TLF) and it was saved in the database, if on 04/22/2024 you wanted to continue with the registration, the bank sent a request to the server asking for your IDE and to know what process you were in, in this process 2 failures were detected.

The first flaw was simply that anyone could do a GET even if the IDE was not theirs. For example, if user A asked for user B, the server gave them all the data of user B.

This seemed to be safe in view of "bruteforce" or "over requests" since the request worked based on a bearer they gave you. But there was 1 error, it worked without a bearer.

To my surprise, and after opening a couple of beers, we identified that these fools followed the same pattern for GET requests, something like IDE-0XXXX to IDE-6XXXX, well easy, with a brute force attack we got all the users, clients and employees registered in EVOBANCO, with their telephone number, ID, psd2 account number, account number, address, salary, job... something catastrophic.

We were thinking about different ways before bruteforce since there would be many requests to a bank but yes, they allowed us to make around 6-7M requests without any type of problem. (thanks to the responsible sysadmin)

Last week we contacted Jaime, the CISO of Evo Banco, we only wanted to negotiate with him a decent exit for his entity since we had more than a million records of his clients and employees and we wanted them to be responsible for it. .

To our surprise, he wanted to be smart and didn't contact us, so these are the consequences of his arrogance.

What happens if we still do not receive communication from EvoBanco? First here we have a sample of 500 records, every day that we do not receive communication we will begin to expose more Evo Banco clients.

Please EvoBanco take responsibility for your actions, we cannot allow such major failures to occur and act crazy when they are the trust of many Spanish families and companies that trust in their security and modernity, we regret what happened to all clients, families... and I hope the bank pays for this.

Best Regards - R4nsom
Нажмите, чтобы раскрыть...
Click to expand...

I would change the title to Hacked, I don't see any hacking in this feat, I see rather how you have found a way to perform a user check, something similar to dump everything you can with a checker script, EvoBanco in Spain has had quite severe damage since within the entity, where they had millionaire losses in a single day through an idor + ssrf that allowed increasing the limit of clients' debit cards to 900k, I think that not even in that case could we really talk about a hack, you did not access any server or database, perhaps we could talk about a cyber attack due to a vulnerability found, I apologize if I'm wrong but I see it like this, good day
 
You must log in or register to reply here.
Top