The funny story of a rogue CISO:
Hello friends, today I bring you a new adventure that I have been living with a CISO of a Spanish bank (EvoBanco) in recent days,
A while ago while I was enjoying the internet, we found a vulnerability in the evobanco registration process, during the creation of a user account, we realized that the server made a GET request prior to the redirection process which made a check in based on the IDE, the IDE is the identifier of each user in the bank, for example if you registered on 04/21/2024, an IDE-XXXXXX was assigned to you from the registration (when entering the NIF and TLF) and it was saved in the database, if on 04/22/2024 you wanted to continue with the registration, the bank sent a request to the server asking for your IDE and to know what process you were in, in this process 2 failures were detected.
The first flaw was simply that anyone could do a GET even if the IDE was not theirs. For example, if user A asked for user B, the server gave them all the data of user B.
This seemed to be safe in view of "bruteforce" or "over requests" since the request worked based on a bearer they gave you. But there was 1 error, it worked without a bearer.
To my surprise, and after opening a couple of beers, we identified that these fools followed the same pattern for GET requests, something like IDE-0XXXX to IDE-6XXXX, well easy, with a brute force attack we got all the users, clients and employees registered in EVOBANCO, with their telephone number, ID, psd2 account number, account number, address, salary, job... something catastrophic.
We were thinking about different ways before bruteforce since there would be many requests to a bank but yes, they allowed us to make around 6-7M requests without any type of problem. (thanks to the responsible sysadmin)
Last week we contacted Jaime, the CISO of Evo Banco, we only wanted to negotiate with him a decent exit for his entity since we had more than a million records of his clients and employees and we wanted them to be responsible for it. .
To our surprise, he wanted to be smart and didn't contact us, so these are the consequences of his arrogance.
What happens if we still do not receive communication from EvoBanco? First here we have a sample of 500 records, every day that we do not receive communication we will begin to expose more Evo Banco clients. pass: xss.is
Please EvoBanco take responsibility for your actions, we cannot allow such major failures to occur and act crazy when they are the trust of many Spanish families and companies that trust in their security and modernity, we regret what happened to all clients, families... and I hope the bank pays for this.
Best Regards - R4nsom
Hello friends, today I bring you a new adventure that I have been living with a CISO of a Spanish bank (EvoBanco) in recent days,
A while ago while I was enjoying the internet, we found a vulnerability in the evobanco registration process, during the creation of a user account, we realized that the server made a GET request prior to the redirection process which made a check in based on the IDE, the IDE is the identifier of each user in the bank, for example if you registered on 04/21/2024, an IDE-XXXXXX was assigned to you from the registration (when entering the NIF and TLF) and it was saved in the database, if on 04/22/2024 you wanted to continue with the registration, the bank sent a request to the server asking for your IDE and to know what process you were in, in this process 2 failures were detected.
The first flaw was simply that anyone could do a GET even if the IDE was not theirs. For example, if user A asked for user B, the server gave them all the data of user B.
This seemed to be safe in view of "bruteforce" or "over requests" since the request worked based on a bearer they gave you. But there was 1 error, it worked without a bearer.
To my surprise, and after opening a couple of beers, we identified that these fools followed the same pattern for GET requests, something like IDE-0XXXX to IDE-6XXXX, well easy, with a brute force attack we got all the users, clients and employees registered in EVOBANCO, with their telephone number, ID, psd2 account number, account number, address, salary, job... something catastrophic.
We were thinking about different ways before bruteforce since there would be many requests to a bank but yes, they allowed us to make around 6-7M requests without any type of problem. (thanks to the responsible sysadmin)
Last week we contacted Jaime, the CISO of Evo Banco, we only wanted to negotiate with him a decent exit for his entity since we had more than a million records of his clients and employees and we wanted them to be responsible for it. .
To our surprise, he wanted to be smart and didn't contact us, so these are the consequences of his arrogance.
What happens if we still do not receive communication from EvoBanco? First here we have a sample of 500 records, every day that we do not receive communication we will begin to expose more Evo Banco clients. pass: xss.is
Please EvoBanco take responsibility for your actions, we cannot allow such major failures to occur and act crazy when they are the trust of many Spanish families and companies that trust in their security and modernity, we regret what happened to all clients, families... and I hope the bank pays for this.
Best Regards - R4nsom