Bug #22306

[External Audit Findings][MLEB, iOS, Android] Bypass OTP in Biometric Activation

Added by yap chekying about 1 month ago. Updated 13 days ago.

Status:ClosedStart date:29 July 2025
Priority:NormalDue date:
Assignee:yap chekying% Done:

0%

Category:-Spent time:-
Target version:-

Description

Issue:
Modification of response parameters in the API allows an attacker to alter values such as item prices, item quantities, and other sensitive data commonly used in business transactions, potentially leading to unauthorized changes being accepted by the server.

Recommendation from pentester:
It is recommended to re-verify whether the modified data is valid or not.

Please refer to attached excel for details.

Copy of Audit Findings - Silver lake - ver2.xlsx (5.15 MB) yap chekying, 29 July 2025 10:12 AM

RE OCBC Business Mobile app Audit Findings - July 2025.msg (364 KB) yap chekying, 06 August 2025 10:39 AM

History

#1 Updated by Hao Ter Tai about 1 month ago

238,077
1/8/2025 [External Audit Findings][MLEB] Bypass OTP in Biometric Activation
Issue:
Modification of response parameters in the API allows an attacker to alter values such as item prices, item quantities, and other sensitive data commonly used in business transactions, potentially leading to unauthorized changes being accepted by the server.

Solution:
FE add checking for encrypted status code

#2 Updated by Tan Hi Ann about 1 month ago

  • Status changed from New to Resolved

RC: Modification of response parameters in the API allows an attacker to alter values such as item prices, item quantities, and other sensitive data commonly used in business transactions, potentially leading to unauthorized changes being accepted by the server.

Solution: BE passes encrypted status code to FE to ensure statusCode untampered

#3 Updated by Tan Hi Ann about 1 month ago

  • Assignee changed from Tan Hi Ann to yap chekying

#4 Updated by yap chekying about 1 month ago

Released to UAT

#5 Updated by yap chekying about 1 month ago

  • Priority changed from Immediate to Normal

#6 Updated by yap chekying about 1 month ago

  • Subject changed from [External Audit Findings][MLEB] Bypass OTP in Biometric Activation to [External Audit Findings][MLEB, iOS, Android] Bypass OTP in Biometric Activation

#7 Updated by yap chekying about 1 month ago

  • Status changed from Pending UAT to Pending PROD

#8 Updated by yap chekying 13 days ago

  • Status changed from Pending PROD to Closed

Released to production

Also available in: Atom PDF