SBI Vulnerability Exposed

SBI Vulnerability Exposed

SBI Vulnerability Exposed

Category : Blog

SBI Vulnerability ExposedSBI Vulnerability Exposed

SBI Vulnerability Exposed….A One-Time Password (OTP) is an automatically generated numeric or alphanumeric string of characters that authenticates the user for a single transaction or session. An OTP is more secure than a static password, especially a user-created password, which is typically weak. OTPs may replace authentication login information or may be used in addition to it, to add another layer of security.

“But what if we can bypass the OTP?” said  Neeraj Edwards.

Yes you heard right. You can bypass the OTP. Neeraj shared his experience about SBI Vulnerability.

 

Neeraj explained One of the most popular bank in India, State Bank of India (SBI). When we make transaction at last stage we were sent to One Time Password Screen. Approximately 3 months ago, i was searching for bug in State Bank of India, after spending 1 hr on https://retail.onlinesbi.com,  I found that when I am making transaction {on last stage of transaction} there is the parameter passing in POST request called

smartotpflag is set to Y i.e. smartotpflag=Y

Initially it was already set to value Y

Here we can easily understand that smartotpflag parameter is used to generate OTP, and Y represent yes generate the OTP and send it to my mobile.

But what if we change this Y to N.

Yes, exactly I have done is changed the value from Y to N, and the result was shocking to me. The transaction have been successfully completed without entering the OTP.”

He has also proved and shown it in a video. But he mentioned that this SBI vulnerability has already been patched. No reward  have been given for this vulnerability, also no acknowledgement.

Most Popular Training Courses at Indian Cyber Security Solutions

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

CEH V9  training

Diploma in Network Security Training

Secured Coding in Java

Certified Network Penetration Tester 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

 

 

 

Summary
Review Date
Reviewed Item
impressive..
Author Rating
51star1star1star1star1star

Leave a Reply

Show Buttons
Hide Buttons