Back to Home

Enumeration of links - receiving data about customers of Portmone and Fidobank

security · banks · bank · payment systems · plastic cards

Enumeration of links - receiving data about customers of Portmone and Fidobank

    The identical problem of link selection described here “ Leak of user data in QIWI ” in July and here, “ Tinkoff Bank compromised customer account statements? ” In August, I found at Ukrainian companies Portmone.com and Fidobank even earlier.
    I must say that these problems are already closed. However, there are others . I will write about both of them.

    imageimage



    Those who read the above posts understand what will be discussed below. For others, I’ll say briefly: there is (more precisely, it existed) the ability to obtain data on transactions performed by clients of these companies.

    I'll start in order (the errors are, in fact, completely identical).

    At Fidobankafter paying for the services in their Internet banking (i.e., you need to be a registered customer and log in to your account) it was possible to download a receipt for this payment / purchase. It was a long link type https://fidomarket.ua/purchase-history?p_p_id=historyportlet_WAR_fidoportlet&p_p_lifecycle=2&p_p_state=normal&p_p_mode=view&p_p_cacheability=cacheLevelPage&p_p_col_id=column-3&p_p_col_count=1&_historyportlet_WAR_fidoportlet_format=pdf&_historyportlet_WAR_fidoportlet_orderNum=XXXXXXXXXX&_historyportlet_WAR_fidoportlet_prodtype=Deposit (336 characters, by the way, pulled her out of page code).
    And this link was opened without authorization.
    It was enough to change the “orderNum” parameter and the site would give someone else's PDF.

    ), so here:

    image

    image

    Although I came across more interesting options (I note that operations were performed using Internet banking):
    image

    After my message, the error was closed quickly enough. I am glad that the bank has a special mailbox for reporting security problems. Although I do not agree with some answers to the situations I sent. As an example: when transferring from card to card (about this site, by the way, there was one article on Habré) for security, an authorization code is sent. Previously (I have not checked this for a long time), after completing the first transfer operation, if you make another transfer within ten minutes, the authorization code was not sent again - the current one was used. The staff insisted that it was normal and safe enough. And I think the bank just saved on SMS)

    another example
    If you look for their deposits on Google, there is a sub-site that Chrome doesn’t want to display:

    image

    image

    Chrome doesn’t show it to me even if I try to remove the letter “S” in the address.

    By the way, now Firefox, Opera and IE open this site without error, but I still have screenshots where this error appears in any of them.

    But banks' sites are like that. The other day, another Ukrainian bank, Forward, missed the deadline for renewing domain registration (already restored).



    So Portmone. After payment for the service, a message on the successful completion of the operation with the option to download the receipt in PDF is displayed on the page of this company. A link of the form portmone.com.ua/r3/uk/services/receipts/get-receipts/shop-bill-id/XXXXXXXXXXXXXXXXXXX . Going through the characters at the end, you can download the receipts of the site’s customers (the site did not ban when selecting). The most popular were mobile phone top-ups:

    image

    however, there were other payments:

    image

    Receipts were available for previous years (in the left part, in the middle: “Paid (Paid): 06/04/2010”):

    image

    This company also corrected the situation quickly enough, and now instead of the nameless “receipts.pdf” a file is downloaded in the format “payment date Paid service.pdf” - a trifle, but nice. Now the link has the same format, but the end is now 129 characters instead of 19: https://www.portmone.com.ua/r3/services/receipts/get-receipts/shop-bill-id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX .

    And then there’s a bank that, after the introduction of 3-D Secure, the CVV check fell off
    I just entered three units in the “CVV / CVC” field, received an SMS with a 3-D Secure code and the payment was successful. I tried to carry out the same operation with the PrivatBank card - I received the error message “Wrong CVV or card validity period”. And on the card of the now unnamed bank, the operation with the wrong CVV went through, checked several times.


    By the way, I’ll also say about transfers from card to card .

    Some sites make it possible not only to transfer money from card to card, but also to create a link to which the number of the card you specify and the amount (optional) will be "sewn". According to Portmone.com, "Money senders by clicking on this link will be able to transfer money from their card to yours online ." Such a service is useful in cases where you need to receive a transfer, but you do not want to divulge your card number: " Pass the link to the sender by clicking on it, your card number will be already filled in and the amount if it was indicated, " if you quote Privat.

    Here's what it looks like on the EasyPay website: Like this
    image

    on the PrivatBank website:
    image

    And like this - on the Portmone website:
    image

    Feel the difference? They do not hide the card number. (this is a test card, I’m not afraid to display it on the Internet. If you want to transfer money to me just like that for testing purposes, I will give the number of another card ;-)

    In general, I will end this way: errors are found everywhere. The main thing is to find them.

    Read Next