Today, we’ll learn how to bypass bank verification and hack into accounts. You can also bypass Chase, Wellsfargo and other bank account’s security with the help of this method. It can be also used to bypass 2FA of banks.
So, Basically, the vulnerability arises due to improper management or API misconfiguration of sensitive request parameters which leads to Broken Object Level Authorisation.
It arises when the server-side response for some sensitive validation depends on client-side input or request.
In lots of applications, you must first verify your bank, KYC, or other details to further access the application resources or in another way, you should be verified to use the application money transactions, like the one shown below.
similar to this there can be other forms to verify your identity like your country identity card (like aadhar card in the case of India), driving licence.
Now, I just filled in the form with random details, and this is what status for review looks like,
Now, what if we bypass this to get verified from our side.
Let’s see step by step,
Now while filling in the form to capture the request and the request body looks like the screenshot below, you can further make use of the repeater tab to analyze requests and responses.
and here the endpoint for API looks like api/v1/add/bank,
now after lots of observation and checks, I found that only the request parameter “bankVerificationStatus” is responsible for deciding whether our bank is under review/verification or verified,
You may also check: Bank of america Scampage Free Download 2023|BOA Scama
and I found that changing the parameter values is also reflected in server responses, it means the server validation depends on client-side input or request,
then further, I observed for the parameter bankverificationStatus
if I update,
bank verificationsatus:1 →0 (means team or support got our response)
bank verificationStatus:1 →2 (bank got verified permanently)
and verified bank server response looks like,
This way I bypassed one of the important sensitive validation.