Now a days One Time Password (OTP) are most popular Out-of-band feature of most of the banks through which a user make transaction and verify its identity using OTP sent to mobile registered with bank at the time of opening an account in the bank.
But what if we can bypass the OTP? Yes you are thinking right, here i am writing about my experience with a bank of which i was able to bypass OTP and make the transaction with any amount.
One of the most popular bank in India, State Bank of India (SBI),
Here we go:
When we make transaction at last stage we were sent to One Time Password Screen.
OTP screen
Approximately 3 months ago, i was searching for bug in State Bank of India, after spending 1 hr on https://retail.onlinesbi.com, i found that when i am making transaction{on last stage of transaction} there is the parameter passing in POST request called
smartotpflag is set to Y i.e. smartotpflag=Y
smartotpflag=Y
Initially it was already set to value Y
Here we can easily understand that smartotpflag parameter is used to generate OTP, and Y represent yes generate the OTP and send it to my mobile.
But what if we change this Y to N.
Yes, exactly i have done is changed the value from Y to N, and the result was shocking to me.
the transaction have been successfully completed without entering the OTP.
Finally Making smartotpflag=N and response.
Here is the Proof of concept video:
POC video
This video shows the transaction of lesser amount but later when i tried to make the transaction of Rs.60,000 it got succeeded without entering OTP.
Even news papers are not supporting me to making aware of it to whole India.
Timeline:
19th-Oct-2016
Thanks Regards Neeraj Edwards