Bug #22306: [External Audit Findings][MLEB, iOS, Android] Bypass OTP in Biometric Activation - VELO Production Issue - S-MADP Customer Support & Information Center

Bug #22306

[External Audit Findings][MLEB, iOS, Android] Bypass OTP in Biometric Activation

Added by yap chekying 2 months ago. Updated about 1 month ago.

Status:

Closed

Start date:

29 July 2025

Priority:

Normal

Due date:

Assignee:

yap chekying

% Done:

Category:

Spent time:

Target version:

Description

Issue:
Modification of response parameters in the API allows an attacker to alter values such as item prices, item quantities, and other sensitive data commonly used in business transactions, potentially leading to unauthorized changes being accepted by the server.

Recommendation from pentester:
It is recommended to re-verify whether the modified data is valid or not.

Please refer to attached excel for details.

Copy of Audit Findings - Silver lake - ver2.xlsx (5.15 MB) yap chekying, 29 July 2025 10:12 AM

RE OCBC Business Mobile app Audit Findings - July 2025.msg (364 KB) yap chekying, 06 August 2025 10:39 AM

History

#1 Updated by Hao Ter Tai about 2 months ago

238,077
1/8/2025 [External Audit Findings][MLEB] Bypass OTP in Biometric Activation
Issue:
Modification of response parameters in the API allows an attacker to alter values such as item prices, item quantities, and other sensitive data commonly used in business transactions, potentially leading to unauthorized changes being accepted by the server.

Solution:
FE add checking for encrypted status code

#2 Updated by Tan Hi Ann about 2 months ago

Status changed from New to Resolved

RC: Modification of response parameters in the API allows an attacker to alter values such as item prices, item quantities, and other sensitive data commonly used in business transactions, potentially leading to unauthorized changes being accepted by the server.

Solution: BE passes encrypted status code to FE to ensure statusCode untampered

#3 Updated by Tan Hi Ann about 2 months ago

Assignee changed from Tan Hi Ann to yap chekying

#4 Updated by yap chekying about 2 months ago

File RE OCBC Business Mobile app Audit Findings - July 2025.msg added
Status changed from Resolved to Pending UAT

Released to UAT

#5 Updated by yap chekying about 2 months ago

Priority changed from Immediate to Normal

#6 Updated by yap chekying about 2 months ago

Subject changed from [External Audit Findings][MLEB] Bypass OTP in Biometric Activation to [External Audit Findings][MLEB, iOS, Android] Bypass OTP in Biometric Activation

#7 Updated by yap chekying about 2 months ago

Status changed from Pending UAT to Pending PROD

#8 Updated by yap chekying about 1 month ago

Status changed from Pending PROD to Closed

Released to production

Also available in: Atom PDF

OCBC NISP Velocity Mobile » VELO Production Issue

Issues

Custom queries