Housing Development Finance Corporation (HDFC) bank is the leading bank in India. zSecure team found a vulnerability in the bank’s web portal on July 15 and they reported it on July 17. They even sent a reminder on July 24 and bank responded on August 08 (22 days later) with the following message:
“Thank you for sending us this information on the critical vulnerability. We have remediated the same.”
After the email, zSecure checked again the bank’s web portal only to find out that the vulnerability was still there and they replied to the message saying that. That time zSecure also sent proof of that hidden SQL injection vulnerability mentioning to the bank to fix it as soon as possible. Both bank and a third party service provider checked for that vulnerability and they couldn’t find it. Bank replied after 2 days with:
“We have remediated all the vulnerability reported on our website. Also we have got the application vulnerability assessment performed through one of our third party service provider and they confirmed that there are no more SQL Injection vulnerability.”
The team was surprised by the last bank’s respond and they communicated with the bank’s security team with all the details and inputs. Finally, after all this communication, the vulnerable file was removed. I call this “How to fix your vulnerable website for dummies”. I believe that banks and all organizations with critical information should hire more advanced and educated people to be part of their security teams.
Security Threads:
- Complete Database Access
- Database Dump
- Shell Uploading
Source: [zSecure]