Fiserv, a Fortune 500 firm and a provider of technology services to hundreds of banks and other financial institutions, featured a critical vulnerability in its web platform that allowed anyone to view email addresses, phone numbers, and full bank account numbers of account holders.
The vulnerability was discovered in Fiserv's web services, especially account and transaction processing systems, that support websites of hundreds of banks across the world. Detailed research carried out by security researcher KrebsonSecurity revealed that the same vulnerability affected the websites of all banks that used Fiserv's services.
Sequential event numbers exposed customer accounts
The vulnerability was first observed by security researcher Kristian Erik Hermansen who discovered it while signing up to get instant email alerts of transactions made on his bank account.
While signing up, he noticed that his bank assigned a specific "event number" to his alerts, and based on a hunch that such event numbers could be assigned to account holders sequentially, he placed a similar request again after decrementing the event number by one digit.
Turned out that his hunch was right, for by changing event numbers sequentially, Hermansen could view email addresses, phone numbers, and full bank account numbers of other customers of the same bank.
"I shouldn’t be able to see this data. Anytime you spend money that should be a private transaction between you and your bank, not available for everyone else to see," he told KrebsonSecurity. Even though he informed his bank as well as several top executives at Fiserv about the vulnerability, he got no response.
To see if this vulnerability was restricted to one particular bank's website or whether there was a trend, KrebsonSecurity offered to help Hermansen and opened accounts at two small local banks that used Fiserv's services.
"In both cases I was able to replicate Hermansen’s findings and view email addresses, phone numbers, partial account numbers and alert details for other customers of each bank just by editing a single digit in a Web page request. I was relieved to find I could not use my online account access at one bank to view transaction alerts I’d set up at a different Fiserv affiliated bank," he noted.
Considering that Fiserv has a 37 percent market share, earned $5.7 billion last year, and over 1,700 banks use Fiserv's services, it is possible that the flaw, if discovered by cyber criminals, could have exposed bank account details, email addresses, and phone numbers of millions of account holders.
Following the discovery, Fiserv released a statement in which it acknowledged the vulnerability and said it arose due to an issue with “a messaging solution available to a subset of online banking clients.”
Did Fiserv skip a basic penetration testing exercise?
"Fiserv places a high priority on security, and we have responded accordingly. After receiving your email, we promptly engaged appropriate resources and worked around the clock to research and remediate the situation. We developed a security patch within 24 hours of receiving notification and deployed the patch to clients that utilize a hosted version of the solution. We will be deploying the patch this evening to clients that utilize an in-house version of the solution," said Fiserv spokesperson Ann Cave to KrebsonSecurity.
"While ultimately responsible for the software flaw that has allowed this vulnerability to surface across multiple financial institutions, what’s more alarming than Fiserv’s shortcomings in design is that this has not been unearthed by any of their customers. What happened to the basic activity of penetration testing? This is a super trivial flaw to identify and even the most junior web application penetration tester should find it," said Adam Brown, manager of security solutions at Synopsys.
"To avoid this kind of issue Fiserv would have had to go back to their design. Web applications should never allow users to access objects or controls directly. Indirect object reference maps should be used. That knowledge would be part of basic security training all software engineers should go through.
"Fiserv may have some angry corporate customers, but ultimately the risk lies with those very organisations as the controllers of their own and their customer’s data. That said, it’s likely that Fiserv, as data processors, will also be held to account by privacy watchdogs," he added.