Pin check API is not throttled, managed 160 rps, so averagely takes 5 mins to brute force the PIN. The 5 digit Pin is needed for some secure requests. However this ID is also used in transaction ID’s and is leaked in the API, hence possession of the card is not needed. This ID is not the 16 digit card number, but another ID/Token printed on the physical MasterCard. Other secure features need a ‘secret’ card ID that is readily discoverable. The reset API request responds with the actual token/link (should only be sent to the email account), so you don’t actually need the email account to reset credentials! 3 weeks later N26 contacted the recipient (not the sender) and wanted to block his account! Sent 2000 1c transactions to the same user in 30 mins, no suspicion raised. Weak pairing scheme the token sharing, phone pairing scheme is only a client side feature (no keys checked on server), so the raw API call for send money works from any client!.33k users identified - nice list for targeted (spear) phishing. 68M dropbox emails evaluated against the API, no blocking, no suspicion raised at all.
API accepts (un-hashed) email and responds if they are a Numbr26 user or not (to support address book based send money).
#Shut in summary password#
Password reset via email only - compromised email account may be more likely if no 2fa and easy password (but actually access to the email account is not even needed - see later! ).No certificate pinning, making MitM of the API, much easier.Or watch the Youtube version here: Summary The Original presentation is here and it is quite fun to watch. If you only have 5 mins to grab the key points they are summarised below. Vincent Haupert Presented at the Chaos Communication Congress A talk about some severe security breaches in the fintech startup Number26 app and API.
0 kommentar(er)
