The following statement has been issued since this story:
To provide context on the recent blog post, which related to a one-way messaging feature in a limited number of bank websites, our ongoing research and continued monitoring have not identified, and we have not received reports of, any adverse consumer impact. We promptly developed a patch to update the feature, deployed the patch to clients using the feature and completed testing to confirm the patch resolves the issue. Fiserv recognizes the importance of security and takes any security concern seriously.
Fiserv – a financial service technology provider firm – has recently patched a security flaw in its web platform. As discovered by a researcher, the Fiserv flaw leaked personal and financial details of customers from hundreds of banks.
Fiserv Flaw Leaked Banks’ Customers Data
As disclosed by KrebsOnSecurity, a flaw in Fiserve web platform allegedly exposed customer data at hundreds of banks through their websites. A researcher Kristian Erik Hermansen discovered the flaw a couple of weeks ago when he logged into a local bank system that used Fiserv. According to his findings, Hermansen could view any other customer’s details by simply changing a particular “event number” in the page script.
KrebsOnSecurity reported that Hermansen got curious upon seeing an “event number” assigned to his email alert. He wondered if a change in this number could show him other users’ details. Upon experimenting with the site’s code, this is what he exactly found.
“In an instant, he could then view and edit alerts previously set up by another bank customer, and could see that customer’s email address, phone number, and full bank account number.”
KrebsOnSecurity went on to confirm Hermansen’s findings about the Fiserv flaw. They also found similar behavior happening at two other small local banks using Fiserv. It was then safe to deduce that almost all banks using Fiserv would be vulnerable to the flaw. As stated by Brian Krebs,
“In both cases, I was able to replicate Hermansen’s findings and view email addresses, phone numbers, partial account numbers and alert details for other customers of each bank just by editing a single digit in a Web page request. I was relieved to find I could not use my online account access at one bank to view transaction alerts I’d set up at a different Fiserv affiliated bank.”
Fiserv Notified Of The Flaw For A Patch
The Fiserv flaw discovered by Hermansen was in no way a negligible one. A slight change of the digits allegedly exposed other users’ details explicitly to anyone. In fact, this could have become a source of a major data breach as well. Hermansen expressed his concern by saying,
“I should not be able to see this data. Anytime you spend money that should be a private transaction between you and your bank, not available for everyone else to see.”
Considering the critical nature of the glitch, Hermansen first tried to inform his bank and Fiserv authorities. However, he remained unsure about whether the flaw was being addressed or not. Therefore, KrebsOnSecurity also reported the matter to Fiserv.
“After receiving your email, we promptly engaged appropriate resources and worked around the clock to research and remediate the situation. We developed a security patch within 24 hours of receiving notification and deployed the patch to clients that utilize a hosted version of the solution. We’ll be deploying the patch this evening to clients that utilize an in-house version of the solution,”
said Ann Cave, Fiserv spokesperson.
Although Fiserv did not mention the number of banks using their web platform. However, allegedly, around 1700 banks use Fiserv’s retail platform. Fortunately, Fiserv has patched the flaw by replacing the event number with a “pseudo-random string”.
Take your time to comment on this article.