How I congratulated my nephew on his birthday

    Once again, when I used the Internet banking of Ukrainian Alfa Bank, my attention was drawn to the form of sending a receipt to the email: The



    interesting thing about it was that the message heading and message text could be edited. Having examined the request sent to the server, I achieved that it was possible not to send the receipt itself, but only the subject of the letter and the text of the message.

    The received request has the following form:

    https://my.alfabank.com.ua/report/email?id=&type=order&recipientEmail=your.email@gmail.com&subject=Привет!!!&body=Тут текст сообщения и ссылка http://fakesite.com&next=
    

    Thus, it turned out that I can send absolutely any content a letter on behalf of Alfa-Bank from the address ccd@alfabank.kiev.ua to any email address. I immediately notified the bank's security service about the vulnerability, but, unfortunately, after 2 months they did not take measures to eliminate it. The only thing that reassures is that recently, two-factor authorization via SMS or email has been introduced in Internet banking and, thus, exploiting this vulnerability on hacked accounts has become an order of magnitude more difficult.

    And finally, taking this opportunity, I congratulated my nephew on his birthday:


    Also popular now: