US-based financial services firm Fiserv has just fixed a flaw in its web platform that exposed the personal and financial details of a vast number of banking customers.
With more than 12,000 clients across the world using the company's services, it is hard to establish how many customers' details were exposed in the 'information disclosure vulnerability' found by security researcher Kristian Erik Hermansen.
When logging into his local bank, which uses Fiserv's platform, Hermansen learned email alerts for financial transactions were assigned an 'event number', which he successfully predicted were distributed in sequence, according to KrebsOnSecurity.
Using this knowledge, the researcher was able to directly view alerts set up by another customer by rewriting the site's code in his browser and sending a request for an altered event number. He was able to view the customer's email address, phone number and bank account number - as well as view and edit alerts they had previously set up.
"I shouldn't be able to see this data," he said. "Anytime you spend money that should be a private transaction between you and your bank, not available for everyone else to see." He added a criminal could have exploited the flaw to steal information from customers.
Together with KrebsOnSeceurity author Brian Krebs, Hermansen worked to verify whether or not the flaw was exclusive to his own bank's installation of the platform. They soon discovered hundreds of other Fiserv-affiliated banks may have been just as vulnerable as those they had tested.
IT Pro approached Fiserv for comment, and to establish how many institutions in the UK may have been affected, if any, but the company did not respond at the time of writing. A spokesperson told Krebs that Fiserv had responded accordingly, and corrected the issue.
"After receiving your email, we promptly engaged appropriate resources and worked around the clock to research and remediate the situation," the spokesperson said.
"We developed a security patch within 24 hours of receiving notification and deployed the patch to clients that utilise a hosted version of the solution. We will be deploying the patch this evening to clients that utilise an in-house version of the solution."
While information disclosure vulnerabilities are among the most common types of website security issues, according to Krebs, they are also the most preventable and easy to fix. But they can also cause just as much damage to a company's brand as more severe security risks.
-
What does modern security success look like for financial services?Sponsored As financial institutions grapple with evolving cyber threats, intensifying regulations, and the limitations of ageing IT infrastructure, the need for a resilient and forward-thinking security strategy has never been greater
-
Yes, legal AI. But what can you actually do with it? Let’s take a look…Sponsored Legal AI is a knowledge multiplier that can accelerate research, sharpen insights, and organize information, provided legal teams have confidence in its transparent and auditable application
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
