Re: Insecure SMS authorization scheme at LiqPAY micro-payments of PrivatBank (Ukraine) Oct 19 2010 06:00PM
MustLive (mustlive websecurity com ua)
Hello Andriy and Bugtraq!

It's interesting issue in LiqPAY. Which was quickly fixed by Privat Bank
after your disclosure.

Even if they denied to fix it (as not issue in their opinion) at 22 March
2010, when you officially informed them, already at 27 March 2010 they fixed
it, by adding site's address into the text of sms. Even at 11 March 2010
they changed their default text of sms and added into it the suggestion to
not pass password to third party. All these changes will not eliminate all
forms of phishing, but still is an improvement of sms-message.

So there was an effect from your informing and disclosing of this
vulnerability ;-) and Privat Bank fixed it. This is that rare case when
they fixed the holes which they were warned about. Because they ignored all
my warnings to Privat Bank during 2008-2010 about multiple vulnerabilities
at many of their sites (and so didn't answer and didn't fix the holes).

Also interesting that this issue is similar to one of issues of Privat
Bank's Privat24 for Facebook, which you disclosed recently
And if they fixed issue with sms in case of LiqPAY, then they didn't fixed
it in case of Facebook version of Privat24. Which is strange, because they
could quickly fixed text of that sms-messages, as they early did for their
LiqPAY system.

Best wishes & regards,
Administrator of Websecurity web site

Insecure SMS authorization scheme at LiqPAY micro-payments of PrivatBank
Mar 22 2010 05:38PM
Andriy Tereshchenko (tag 24 odessa ua)

> 1) Affected Service
> * LiqPAY micro-payment system from PrivatBank, Ukraine
> 2) Severity
> Rating: Moderate (need user actions)
> Impact: Exposure of sensitive financial information and unauthorized
> access to system
> Where: Remote (man-in-the-middle)

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus