The Housing Development Finance Corporation Limited (HDFC) was amongst the first to receive an ‘in principle’ approval from the Reserve Bank of India (RBI) to set up a bank in the private sector, as part of the RBI’s liberalization of the Indian Banking Industry in 1994. The bank was incorporated in August 1994 in the name of ‘HDFC Bank Limited’, with its registered office in Mumbai, India. HDFC Bank commenced operations as a Scheduled Commercial Bank in January 1995.
HDFC Bank deals with three key business segments. – Wholesale Banking Services, Retail Banking Services, Treasury. It has entered the banking consortia of over 50 corporates for providing working capital finance, trade services, corporate finance and merchant banking. It is also providing sophisticated product structures in areas of foreign exchange and derivatives, money markets and debt trading and equity research.
A critical SQL Injection vulnerability has been discovered in HDFC Bank web portal. Any malicious black hat can create much more devastating attacks using this critical flaw which includes but not limited to – Uninterrupted database access; Database Dump; Possibility of shell uploading which may further result in defacement of website. Vulnerable URL:
Proof Of Concept
The aforesaid vulnerability was discovered on 15-July-2011 and was reported on 17-July-2011 (reminder sent on 24-July-2011). The HDFC Bank’s team took around 22 days to respond to our e-mail and their first response came on 08-August-2011 with a message:
Thank you for sending us this information on the critical vulnerability. We have remediated the same.
After their e-mail, we again checked the status of said vulnerability and found that the vulnerability was still active on their web portal. We immediately replied to their email with additional proof of vulnerability and asked them to fix the same asap. Later on, after 2 days we again received an e-mail from their team with a message:
We have remediated all the vulnerability reported on our website. Also we have got the application vulnerability assessment performed through one of our third party service provider and they confirmed that there are no more SQL Injection vulnerability.
Their above response left us with an unexpected surprise. We were not able to believe that such a big organization doesn’t have proper vulnerability assessment in place because we already reported the vulnerability to them and even after conducting vulnerability assessment from a third party (as claimed) they were not able to find the active vulnerability in their web-portal.
Thereafter, we sent complete inputs about the vulnerability to their security team and finally the vulnerable file was removed from HDFC’s web-server.
Finally we would like to say that, since even after conducting the vulnerability assessment from a third party they were not able to discover this critical flaw that existed in their web portal since a long time then how can they assure themselves that there’s no more additional vulnerability exists in their web-portal. HDFC Bank’s Security team needs to think on this!
No data has been dumped. Database has been accessed only to take screen-shots so that we can make company believe that aforesaid flaw actually exist. The reason being, most of the companies use to treat the like advisories/disclosure as junk and don’t believe the researcher’s which may later cause them suffer.