Finserv just fixed a technical flaw that exposed personal and financial details of customers; including emails, phone numbers, bank account numbers, and alert details across hundreds of bank websites just by editing a single digit in a the request url.
Brian Krebs validated the findings and provides a detailed report.
Two weeks ago, security researcher Kristian Erik Hermansen discovered something curious while logged into an account at a local bank using Fiserv’s platform. Hermansen had signed up to get email alerts any time a new transaction posted to his account. He noticed the site assigned his alert a specific “event number.” Working on a hunch, that these numbers might be sequentially assigned, Hermansen requested the same page again but first edited the site’s code in his browser, decrementing the event number by one digit. Instantly, he could view and edit alerts previously set up by another bank customer, and along with their email address, phone number and full bank account number. Hermansen said a cybercriminal could enumerate all other accounts with activity alerts on file, and add or delete phone numbers or email addresses to receive alerts about account transactions.