The Bank Job – breaking a mobile banking application
boris.inIt's actually quite heart-breaking to see the extent gone to to reveal the bug, and then to disclose it in full, for zero reward.
Whether or not a bug bounty programme exists at a company, if a bug this severe comes through the door, it should warrant a reward.
The next bug found will be sold on the blackmarket. False economy.
Presumably any reward would need to be approved by an executive other than just the IT director since clearly they have no policy in place. The IT director would not want his department's incompetence to be known higher up the board.
As an aside, the OP claims it took 12 days to resolve but it is possible they took more immediate action by disabling the mobile app's ability to do transfers until they had resolved all the issues.
It took 12 days for them to reply back saying that "They're working on a fix". The fix was not out at least until Late December/Early Jan. And they did not block fund transfers during the intermediate period either.
ah, the benefit of the doubt.
I used to give that out like candy, too.
The post is interesting, but I do not know why people assume they would get a bounty for a security report if the company does not have responsible disclosure / bounty program.
It would be common sense to pay a bounty. Similar to the reward you should get if you find somebody's wallet. If you are known for not paying a bounty (a finder reward) some people will not tell you your security holes (will not give you back your wallet).
On the long run this will be more expensive than the bounty. But the problem might be that if the would pay a bounty, they would admit that the screwed it, what their lawyers would like to prevent.
I would absolutely never expect or even accept a reward for a lost wallet. It's our duty as a member of a civilized society to not steal.
If a wallet finder failed to give me my wallet back, I'd just call the police.
The options aren't just returning it or stealing it, they can simply leave it where it is to avoid the hassle of having to return it. Hence why having a custom of paying a reward might be beneficial for wallet losers in general.
I'd like to feel like people would be ethically and morally motivated to make efforts to do the right thing rather than expect to be rewarded for doing the right thing. Perhaps it is how I was raised, but it seems weird to me that I would turn in a lost wallet with expectation to get something back out of it. This so-called "custom" is not my custom. It actually seems very childish, where one is still in the phase of learning the importance of taking care of their neighbor.
Sure, but if I had heard several news reports of people finding and returning wallets being falsely accused of theft and subjected to serious legal threats, at that point if I saw someone's wallet lying around, I would just ignore it and keep going.
The bug bounty isn't only about the money. It's also the company's way of advertising 'we aren't crazy assholes like those outfits you heard about on the news'.
(Yes, fixing the law would be a good idea. But in the meantime, a bug bounty is the solution.)
It's a bit far stretched but: You can expect people to be ethically and morally motivated or you can apply security patches to your servers.
I think I'm bikeshedding; the whole "finder's fee" nonsense bugged me. The analogy between lost wallets and servers doesn't actually hold. One can have thieves and indifference in both worlds, but the natures of the exposed items and victims are different. It is more acceptable to people -- though not any more right -- to figure that a faceless multi-million dollar corp can absorb a tiny theft/hit, but it is harder to allow pain to a relatable fellow human being. (...unless, of course, one is affected by bystander effect or pressured by authority)
Hassle free return, drop it in a mailbox. Leaving it is an option, but the custom of returning things to their owner exists because one good deed begets another.
I lost my wallet once and someone turned it into a nearby business, but with all the cash taken out.
Not sure if the finder or the business took the cash but I guess they got their own reward. Not what I would do, but I'm glad they didn't take the cash and trash the wallet..
Don't feel too bad. Could have been a thief at first that just left it on the sidewalk.
The interesting question is "Would you pay a reward to a finder (~10%)?".
I would not. It's an insult.
You should never expect a reward.
You should always give one. Claiming it's an "insult" to thank someone for going out of their way to do something they didn't have to do (v. doing nothing or throwing the wallet out) sounds like an easy excuse to be cheap.
If you need any reward to do what's right you might need to search within yourself what kind of person you really want to be.
Then you are a cheap skate on the cost of other wallet loosers.
OP here. I knew the bank wouldn't pay. But I wanted to initiate a discussion with the bank so they know that paying bounty for disclosures is a thing.
Nice work OP.
You gave them a tech analysis that should be worth some money, for free, at the same time (hopefully) bringing to their attention how bounty programs are a helpful thing for everyone. They should be feeling very lucky about it.
However, the thing that worries me with these things is that, what if some "bad guys" already knew about this and exploiting it and now that the bank is aware and might close the hole, makes them angry and looking for retaliation?
Hopefully you are taking precautions to be anonymous, but I know that where I live if I were to pull a stunt like that I would seriously consider watching my back for a while.
Sad world we live in :( so take care OP.
He is in Sweden. So definitely safer than being in India :-) Adding to that, I don't think bad guys from the computer world would go to great lengths to harm someone from physical world.
I wouldn't be so sure of that.
Being in Switzerland definitely helps, but still, India being a very big country it wouldn't surprise me if they had some really-bad-guys(TM) mafias capable of hurting people in other countries.
Of course, a small thing like this wouldn't necessarily pop up in their radars but still...
I guess part of the reason I think this way is because I live in a country where this is a real threat. Where posting things that real-bad-guys(TM) don't like can literally get you tortured and killed.
> Switzerland
I see what you did there.
Ahhh.... yes... damn. Didn't do it on purpose. Sorry about that 0x424242. I am always getting those two mixed up, even in my mother tongue.
:(
I guess the point still stands as I originally intended it though. Again.. sorry for the confusion. Even though I know my geography reasonably well, my mind brings the word and my mouth or fingers say something else.
This never gets old.
The value of the write-up is a reward at least.
If the bank doesn't have a disclosure/bounty program, you can easily end up getting yourself arrested.
Probably from goodwill. Sadly the bank couldn't afford it, they can afford getting stolen from anyway. The bank always wins.
Don't think of it as a bounty. Think of it as payment for services rendered.
Cached copy because the site seems to be struggling: http://archive.is/2FN8G
Having done similar pentests on similar applications during my previous jobs, you can imagine the level of security many editors have on the pair (client app, server). And we are talking here about a banking application: banks have always been more concerned buy security than other software consumers.
It's actually important to name the vendor responsible for this mess so this doesn't happen again.
I would not do it (if I were the guy), India is litigious mess and a motivated financial strongman/entity can screw you for Years without a verdict and if they allege there is a hacking attack, the Judiciary is in no position to handle that kind of sophistication and have a more or less fire first and ask questions later way of doing things.
From one of the screenshots and other data points, looks like it is SBI
Prediction: in the coming months we will hear about more issues of this kind. This time though it will be mafia inspired by the story, stealing money for real.
This is the result of hiring mediocre developers and not performing sufficient security testing/analysis and threat modeling.