Stealing checks worth millions & pwning a bank
Another long (hacker) story of mine! Once upon a time contracted to do a penetration test on a bank… I spent the better part of a week assessing every nook and cranny of the main web application. I mapped every function, and every web path, but the main website was very hardened.
After spending a lot of time understanding it, most of the makeup of the transfer system was API based and the infrastructure was AWS. I decided to open up the mobile application to see if it was any different and if its functions were on the same domain.
I proxied the iOS app through a proxy to see its web traffic. I also was running the app on a jailbroken phone to see what files were created when installing and using the app. Nowadays you can proxy your mobile apps like this. The 1st issue I found was because of a new feature many banks were launching at that time:
When using this function the app was storing these images in folders on the phone that were readable by other apps (shared storage). This was bad. Using URL schemes in different popular apps that were allowed to access shared storage, I wrote a proof of concept piece of JavaScript that could steal these check images and send them back to myself. It would be easier though to use the bank itself’s domain in these attacks. I lucked out and found a Cross-Site Scripting bug on one API endpoint that was not returning a json content type, and reflecting my input. The previous attack was now much easier.
