What happened?
During audits, it’s crucial to check all possible attack vectors, even the seemingly obvious functionalities. This diligence led us to discover, during one of our web application audits, that the server does not verify the correctness of the SMS code used by applicants during the credit request process, either at the start or at the final document signing stage. In short: a credit application without any verification.
In this case, to submit a credit application, one only needed to know the client’s national identification number.
How does the attack proceed?
Logging into the client portal requires the national identification number. After entering it, SMS code authentication follows. Upon entering the code, the following request is sent:
The server does not check the correctness of the entered SMS code; it only needs to be six digits long to grant authorization:
Below is a list of example codes that worked during our tests:
- 222222
- 333333
- 123456
- 987321
Furthermore, it was confirmed that at the end of the process—during the user’s signing of the completed document with consents, the application requests another SMS code. However, in this case, the code is not even sent to the server in the GET request!
Despite this, the process concludes successfully, and we are informed that the credit application has been submitted.
What can we recommend?
During application development, remember to ensure that all implemented authentication mechanisms are always verified on the server side.
