[Hacking Banks] Broken Access Control Vulnerability in Banking application [PART I]
This is the part I of the story about finding a critical Vulnerability in a banking mobile app that allows attackers to obtain full user information (Balance, transaction list), as well as the ability to transmit money with just the victim’s phone number.
Introduction:
Hacking a bank is one of the things you must cross off your bucket list as a credible hacker. Banks are supposed to have impenetrable security to the outside world, or at least that’s how they usually market themselves. Closer to reality and more in line with the can-do attitude of hackers, banks are just as vulnerable as other organizations and industries.
A few months ago, I was performing freelance reverse engineering on a couple banks’ mobile apps to obtain their APIs.
Typically, banking apps use client-side security protections like SSL pinning, root detection protection, and request and response encryption, which causes the backend team to overlook some security measures. In this case, I found a Broken Access Control Vulnerability.
Access controls are designed to prevent users from acting outside their intended permissions, when vulnerabilities exist in these controls, or there are no controls users can act outside of their intended permissions. This may allow attackers to steal information from other users, modify data and perform actions as other users.
I’ll explain in detail in this article how I discovered this vulnerability:
1: Getting around the application:
First, we need to run Frida server on the background and start the banking application in rooted device.
I used frida_multiple_unpinning.js to disable the ssl pinning and intercept all requests between the app and the API.
All requests are encrypted. we’ll re-start the application and use tracer-cipher.js to hook the Java classes [javax.crypto.Cipher] that responsible for encryption and decryption. However, I didn’t receive any output.
Decompile the apk and understanding the code:
Starting with jadx-gui to read the java source code, then reading the androidManifest.xml file to get the mainactivity.
The usage of Apache Cordova packages confirms that the app runs in a WebView.
Cordova is an open-source framework that lets you convert HTML, JavaScript, and Cascading Style Sheets (CSS) into a native application that can run on iOS, Android, and other mobile platforms.
Now, we know that the encryption is done by javascript code, that’s why we didn’t get any output with Frida script.
Debugging the Javascript code in WebView:
1 — Getting the source code (HTML, CSS and JavaScript):
In Jadx, go to
e file are encrypted .
Returning to the Java source code, there is a class that responsible for decrypt this files :
We now have all of the information we need to decrypt these files:
IV: KQo2XYXH2uek8k7K
Key: ejj8me0xdPMN7fjWCcTUfJxOotGD/G94
Encryption Algo: AES
Mode: CBC
Padding: PKCS5Padding
I create a Python script that recursively scans the /WWW/ directory looking encrypted files, decrypts them, generates a new path called “/WWW2/,” to saves the result as clear text.
After decryption, I used an HTTP server on a WWW2 directory, and I accessed it in a browser. However, various java-script functions did not operate, and I got numerous problems, so I jumped to the second way .
2 —Load Stetho and use chrome developer tools:
Stetho is a sophisticated debug bridge for Android applications. When enabled, developers have access to the Chrome Developer Tools feature natively part of the Chrome desktop browser. Developers can also choose to enable the optional dumpapp tool which offers a powerful command-line interface to application internals.
Steps
- 1. Download Stetho — http://facebook.github.io/stetho/
- 2. Rename to stetho.jar
- 3. Download dextojar https://sourceforge.net/projects/dex2jar/ 4. Convert the jar file to dex — d2j-jar2dex.sh stetho.jar
- 5. Push the dex file in /data/local/tmp/
adb push stetho-jar2dex.dex /data/local/tmp/stetho.jar
- 6. Run the app using frida and load_stetho.js
frida -U — no-pause -l load_stetho.js -f com.the.banking.app
- 7. Open chrome at this address
chrome://inspect/#devices
- 8. Inspect your app!
Please check out the Part 2 that how I debugged the obfuscated JavaScript to reveal the parameter before encryption using breakpoints, as well as how I discovered the vulnerability and created a Python script to exploit it.
[Hacking Bank] Broken Access Control Vulnerability in Banking application [PART II]
