I received a Bank offer in my mailbox and discovered an IDOR vulnerability - $5,000 bounty - @bxmbn

In October 2023, I opened a bank account with the hope of uncovering any vulnerabilities. I had tested this bank program before, however I had no luck; it is a very well-known Bank, so it was very hard to find something unless I really put the hours. I was getting invited to other programs at that time, so I eventually halted my efforts and decided to focus on these new opportunities.

After my running routine on November 17th, I returned home and, as usual, checked my mailbox. There, I discovered an offer from a bank. It dawned on me quickly that this was an offer from the same bank I had tested last month.

Banks usually sends these offers to their customers to open new accounts, which tends to offer some benefits like “no annual fee and/or 0% intro APR”

After taking a shower following that long run, I sat down at my PC to access the offer.

I entered both reservation code and access code:

The server then redirected me with an access-encoded key, something like

https://apply.bxmbnbank.com/?ridNumber=U2fsdGXkX1%2FD2t6FFmuvS7zVam%2Bvp9avVFbxQYrTM1Sa6e7y876LHulztDoJvxue

I accessed my offer and all my personal information was stored there, So I was curious if I can somehow decode the ridNumber to maybe try to access another user’s offer, I quickly looked into the response and found a parameter called ridNumber too, same as the one I had in the URL, but this had a numeric value, it wasn’t encoded.

I thought, oh, this may be the decoded version, will it work?

https://apply.bxmbnbank.com/?ridNumber=0075514045460235

It did worked!

Surprisingly, the server accepted the decoded version. I began to wonder if it was vulnerable to IDOR. I modified the last two numbers and gained access to offer 0075514045460243, which belonged to a completely different user. And just to make sure, I then tried 0075514045460241 and 0075514045460255 revealing the PII of those as well, stopped there and reported it

This vulnerability could have allowed an attacker to access other user’s offers, revealing sensitive personally identifiable information such as complete names, residential addresses, emails, phone numbers, and dates of birth.

I was surprised this issue hadn’t been reported before, considering this Bank has a very active bounty program. It’s also one of the biggest Banks in America. This highlights the importance of inspecting every value in the response and just applying common sense whenever is needed.

Timeline:

Reported → November 17th, 2023

Triaged → November 19th, 2023

Bounty Awarded → November 21th, 2023

NEXT:

Zero User Interaction Cache Poisoning/Deception Cases — $50,000 bounties — @bxmbn