Kotak Mahindra Bank is an Indian financial service firm established in 1985. It was previously known as Kotak Mahindra Finance Limited, a non-banking financial company. In February 2003, Kotak Mahindra Finance Ltd, the group’s flagship company was given the license to carry on banking business by the Reserve Bank of India (RBI). Kotak Mahindra Finance Ltd. is the first company in the Indian banking history to convert to a bank.
Kotak Mahindra Bank is the fourth largest Indian private sector bank by market capitalization, headquartered in Mumbai, Maharashtra. The bank’s registered office (headquarters) is located at 27BKC, Bandra Kurla Complex, Bandra East, Mumbai, Maharashtra, India.
We recently discovered an Information Leakage vulnerability in Kotak Bank web portal. Using this, any malicious attacker can gather sensitive information including but not limited to database connection strings, application logic etc. by analyzing the source code. This information can be used to conduct further attacks. Vulnerable URL:
Proof Of Concept
- 02-Aug-2012: Vulnerability discovered & reported to the company.
- 12-Aug-2012: No response from company. Vulnerability found to be unfixed.
- 13-Aug-2012: Reminder sent to the company.
- 17-Aug-2012: Vulnerability found to be unfixed. Public Disclosure.
- 18-Aug-2012: Within 24 hours of making this blog post, Company confirms it has fixed the vulnerability.
We appreciate the immediate action taken by Kotak Bank’s security team in fixing the notified vulnerability post publication of this blog post.