HDFC CLEAN BOWLED by Hidden SQL Injection Vulnerability
HDFC CLEAN BOWLED by Hidden SQL Injection Vulnerability
1. Howoften do we find
ourselves getting irritated with the constant reminders from banks to
change passwords every 15 days...to include few small cases,few caps,few
numbers and few special characters and more often then not 40% of the
account holders forget keeping a tab on what was the last
password.....Inspite of heavy claims by most of the banks that they have
the highly secured banking netwrok here comes a boomrang for
HDFC...inspite of ample number of warnings by zSecure
, a firm committed in providing comprehensive and cost-effective
Penetration Testing services Networks, Servers and Web application,HDFC
had no inkling of what they were warned about and what was supposed to
be done....simply banking on some third party solution and getting into a
SURRENDER SITUATION.....the story goes like this
HDFC
was warned about Hidden SQL Injection Vulnerability by the firm
ZSECURE.The subject vulnerability was discovered on 15-July-2011 and was
reported on 17-July-2011 (reminder sent on 24-July-2011). The HDFC
Bank’s team took around 22 days to respond to our e-mail and their first
response came on 08-August-2011 with a message:
“Thank you for sending us this information on the critical vulnerability. We have remediated the same.“
After
their e-mail, we again checked the status of said vulnerability and
found that the vulnerability was still active on their web portal. We
immediately replied to their email with additional proof of
vulnerability and asked them to fix the same asap. Later on, after 2
days we again received an e-mail from their team with a message:
“We
have remediated all the vulnerability reported on our website. Also we
have got the application vulnerability assessment performed through one
of our third party service provider and they confirmed that there are no
more SQL Injection vulnerability.“
Their
above response left us with an unexpected surprise. We were not able to
believe that such a big organization doesn’t have proper vulnerability
assessment in place because we already reported the vulnerability to
them and even after conducting vulnerability assessment from a third
party (as claimed) they were not able to find the active vulnerability
in their web-portal.Thereafter, we sent complete inputs about the
vulnerability to their security team and finally the vulnerable file was
removed from HDFC’s web-server.
2. The story goes on to confirm
how much vulnerable we all are to such holes.Not blaming the bank
singly,but the policies and the measures supposed to be taken and
adopted have no firm policies on date.It is entirely left to the third
party dependency solution....its high time for all banks to constantly
take measures and keep itself updated to all new vulnerabilities hanging
around......
3. Thanks http://www.zsecure.net
Comments