Kotak Mahindra Bank users can be tricked to sign in fake site by displaying fake message in their site

A security flaw in the Kotak Mahindra Bank allows attackers to trick customers into sign in to fake websites by displaying fake message in their official site.

A security researcher, Rishi Narang, has discovered a design-flaw in the official website of Kotak Mahindra Bank. This flaw won't allow attackers to compromise server or user information but they can lure user to log in to fake sites. How?!

He discovered the flaw in the Access Code generation page (hxxp://www.kotak.com/pg/GeneratePin.jsp).  When a user click the "Generate the access code' link, it will generate a code & send to your mobile number, or an error message as per the information supplied on the previous page.
Access Code generation page

Here, the developer made the mistake.  When generating the error message, it gets the response from the server and appends it in form of GET request in URL. For instance, if the error message is ' access code can't be generated', the url will look like this:

hxxps://www.kotak.com/pg/GeneratePin.jsp?flagvalue=NNA&ErrorMsg1=Sorry the access code can\’t be generated

It means that attacker can customize the message and trick users into log in to some other phishing(fake) websites. In a typical scenario, a cyber criminal can send a spoofed emails and lure user to click the crafted url.  For example:

hxxps://www.kotak.com/pg/GeneratePin.jsp?flagvalue=XSS&ErrorMsg1=Dear Alice,\nYour last account access is not matched.\nPlease close this page, and login
to www.kotak-security.example.com to update your settings immediately.\n\nBest Wishes,\nKotak Mahindra Bank
Clicking the above crafted-url will displays the following message.

Fake error message in bank site

So innocent users will believe in the message , as it is being displayed from the official website itself.  He will log in to the fake site.  What happens next?! He become victim of the phishing attack.

"I think the critical websites, specially if they are dealing with financial information should surely address such design flaws, and make sure there is now way a malicious user can use their design to fool its victims.Kotak should fix this before it falls in the hands of wrong people." Researcher says.
Category: /

Share this with Your friends: