How to remove Bradesco Internet Banking from its users?

It seems like a science fiction story, of hackers and crackers manipulating central computers in Manhattan in New York City, but no, this is very simple, and many might call me a lammer or something, but it is extremely important for the bank have a security focused on this aspect illustrated here in this post.

Not only Bradesco's internet banking, but that of other banks are vulnerable to this security breach, Bradesco has, explicitly in its iPhone application (which can be accessed from any computer with internet, or any device) exactly requesting several important account access items, on the first page, such as agency, account, and password.

When you enter your password, incorrectly, more than 3 times, your account is blocked for access to Internet Banking. Your unlock will only take place at the agency.

Okay, but now, if this is used on all accounts? Difficult? No, this is extremely easy. The server works accepting POST requests (sending forms over http) and the data can be generated in a loop, going from account to account, and from agency to agency, trying 3 times with wrong passwords just to block the password. everyone's account. What will this result? Well, since everyone can only unlock the Internet Banking function through their own branch, many people will go to the bank this day to re-access it, mainly companies that need daily use of Internet Banking for use by HR employees, and others .

What if this happened on a payday? Many salaries would be withheld, many people would not receive their salaries, since HR needs to enter the application to set the salary value of its employees (unless they still live in the time of stone, writing on paper and sending by courier the agency).

How can this be done? One of the ways, which I made myself, was a php program, created to send POST requests to the server, and the result presented on the screen as an "invalid password" for each of the attempts, running, in programming language, within a "for" and a "while" ... example, as long as (while) you do not receive an "invalid password", keep trying (suddenly the person put a password equal to what the system is using) and then inside the for, the numbers between 1 and 700,000 (since the average number of accounts per branch can be considered, taking into account old branches, which have many canceled accounts, savings accounts, etc.).

But wait, what about the virtual keyboard? Well, we are talking about a POST request, when you send a form, you did not use the virtual keyboard to do this, what we are talking about, is how to create a form in html, use the action of the form for the bradesco server, and click "send", and then the browser takes care of sending the form to the server.

Perhaps, it would be safer, if the server does not allow the submission of forms with an HTTP_REFFER other than its default domain, for example, if the form comes with no information in HTTP_REFFER, the request is not authorized, but already if HTTP_REFFER has the information from "" the request is authorized.

The HTTP_REFFER is simply the information that the browser sends to the server, informing where that form came from, or rather, the last page accessed; however, for anyone who understands HTTP headers, it would be easy to manipulate when sending via socket over POST on windows, or linux, or any other operating system (including Safari, it allows changing some HTTP information when activating the developer function, such as the browser being used, which you can use for iPhone viewing on safari, on your computer, with just one click, as well as disguising yourself as Internet Explorer, Firefox, among others, as you have the option to customize) .

The Opera browser, also has this function of "falsifying" your browser integrity, disguising itself as other browsers, however, it has no options to customize as you wish, locking itself only in "Disguise yourself as Internet Explorer" and "Disguise yourself as Mozilla Firefox ".

No comments