Good-Guy Hacker Finds Flaw that Could Have Drained $25B from an Indian Bank

Last year, during a cold, gray, late fall weekend in Sweden, security researcher Sathya Prakash found out that with just a few lines of code, he could steal money from any or all customers of one of India's biggest banks—all because of the bank's faulty mobile app.

Luckily for the bank, Prakash is a friendly "white hat" hacker who finds flaws to get them fixed. So, instead of taking advantage of a series of critical flaws in the app, he told Motherboard he immediately reached out to the bank to alert it of the issues and help fix them instead of trying to steal any of the $25 billion that the bank has in deposits.

"I could've done this with anybody's account," Prakash told Motherboard in a phone call, adding that all he needed was the victim's account number.

Prakash analyzed the bank's app, and in just a few hours, he found several bugs. One of the these allowed him to see customer records such as their current account balance and deposits simply automating and guessing customer IDs. That was just the beginning though, and when he kept digging, he "hit a gold mine" finding a "huge bug:" anyone with the app and an account in the bank could transfer money from anyone else's account.

"I was able to transfer money from any source account to any destination account," Prakash wrote a blog post, which he published on Monday, explaining that there were no checks whatsoever to make sure that the transfer orders were really coming from the account holder.

Prakash told me that he successfully tested this flaw using his parents' accounts.

"Few of those accounts don't even have net banking or mobile banking activated," he wrote in the post. "And it all worked like a charm."

If he had been a criminal, Prakash told me, he could've easily opened an account using a fake ID, then identified the accounts with the most money, and transferred large sums to several accounts, including his (in order to confuse investigators trying to figure out who was behind this). At that point he could have withdrawn the money and ship it in bitcoins.

Saumil Shah, a security researcher who is a consultant for three of the top five Indian banks, reviewed Prakash's findings and said he wasn't surprised.

"All I can say is that things are much worse than this chap has discovered," he told Motherboard in an email. "I shudder to even think. […] The flaws are so systemic and deep that only prayer will help these guys. I'm surprised they're not attacked massively yet."

Prakash emailed the bank, which he declined to name, on November 13, 2015. The bank answered on November 25. The bank's deputy general manager informed him that the issues he pointed out had been fixed, and wished him "a nice day," without promising any kind of reward of bug bounty.

"It took them 12 days to respond to an email saying 'Hey, your several billion worth deposits are at risk,'" Prakash wrote. "[That] was stunning."

This incident shows once again that banks need to take the security of their apps more seriously. At the end of last year, another researcher published a study on the security of 40 banking apps. This researcher found that most had significant, and fairly basic, security issues even after he had already sounded the alarm on the poor state of banking apps' security in 2013.