Bug #22306: [External Audit Findings][MLEB, iOS, Android] Bypass OTP in Biometric Activation - VELO Production Issue - S-MADP Customer Support & Information Center

Bug #22306

[External Audit Findings][MLEB, iOS, Android] Bypass OTP in Biometric Activation

Added by yap chekying 21 days ago. Updated 11 days ago.

Status:

Pending PROD

Start date:

29 July 2025

Priority:

Normal

Due date:

Assignee:

yap chekying

% Done:

Category:

Spent time:

Target version:

Description

Issue:
Modification of response parameters in the API allows an attacker to alter values such as item prices, item quantities, and other sensitive data commonly used in business transactions, potentially leading to unauthorized changes being accepted by the server.

Recommendation from pentester:
It is recommended to re-verify whether the modified data is valid or not.

Please refer to attached excel for details.

Copy of Audit Findings - Silver lake - ver2.xlsx (5.15 MB) yap chekying, 29 July 2025 10:12 AM

RE OCBC Business Mobile app Audit Findings - July 2025.msg (364 KB) yap chekying, 06 August 2025 10:39 AM

History

#1 Updated by Hao Ter Tai 17 days ago

238,077
1/8/2025 [External Audit Findings][MLEB] Bypass OTP in Biometric Activation
Issue:
Modification of response parameters in the API allows an attacker to alter values such as item prices, item quantities, and other sensitive data commonly used in business transactions, potentially leading to unauthorized changes being accepted by the server.

Solution:
FE add checking for encrypted status code

#2 Updated by Tan Hi Ann 14 days ago

Status changed from New to Resolved

RC: Modification of response parameters in the API allows an attacker to alter values such as item prices, item quantities, and other sensitive data commonly used in business transactions, potentially leading to unauthorized changes being accepted by the server.

Solution: BE passes encrypted status code to FE to ensure statusCode untampered

#3 Updated by Tan Hi Ann 14 days ago

Assignee changed from Tan Hi Ann to yap chekying

#4 Updated by yap chekying 13 days ago

File RE OCBC Business Mobile app Audit Findings - July 2025.msg added
Status changed from Resolved to Pending UAT

Released to UAT

#5 Updated by yap chekying 13 days ago

Priority changed from Immediate to Normal

#6 Updated by yap chekying 11 days ago

Subject changed from [External Audit Findings][MLEB] Bypass OTP in Biometric Activation to [External Audit Findings][MLEB, iOS, Android] Bypass OTP in Biometric Activation

#7 Updated by yap chekying 11 days ago

Status changed from Pending UAT to Pending PROD

Also available in: Atom PDF

OCBC NISP Velocity Mobile » VELO Production Issue

Issues

Custom queries