Bug #22306
[External Audit Findings][MLEB, iOS, Android] Bypass OTP in Biometric Activation
Status: | Closed | Start date: | 29 July 2025 | |
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | yap chekying | % Done: | 0% | |
Category: | - | Spent time: | - | |
Target version: | - |
Description
Issue:
Modification of response parameters in the API allows an attacker to alter values such as item prices, item quantities, and other sensitive data commonly used in business transactions, potentially leading to unauthorized changes being accepted by the server.
Recommendation from pentester:
It is recommended to re-verify whether the modified data is valid or not.
Please refer to attached excel for details.
History
#1 Updated by Hao Ter Tai about 1 month ago
238,077
1/8/2025 [External Audit Findings][MLEB] Bypass OTP in Biometric Activation
Issue:
Modification of response parameters in the API allows an attacker to alter values such as item prices, item quantities, and other sensitive data commonly used in business transactions, potentially leading to unauthorized changes being accepted by the server.
Solution:
FE add checking for encrypted status code
#2 Updated by Tan Hi Ann about 1 month ago
- Status changed from New to Resolved
RC: Modification of response parameters in the API allows an attacker to alter values such as item prices, item quantities, and other sensitive data commonly used in business transactions, potentially leading to unauthorized changes being accepted by the server.
Solution: BE passes encrypted status code to FE to ensure statusCode untampered
#3 Updated by Tan Hi Ann about 1 month ago
- Assignee changed from Tan Hi Ann to yap chekying
#4 Updated by yap chekying about 1 month ago
- File RE OCBC Business Mobile app Audit Findings - July 2025.msg added
- Status changed from Resolved to Pending UAT
Released to UAT
#5 Updated by yap chekying about 1 month ago
- Priority changed from Immediate to Normal
#6 Updated by yap chekying about 1 month ago
- Subject changed from [External Audit Findings][MLEB] Bypass OTP in Biometric Activation to [External Audit Findings][MLEB, iOS, Android] Bypass OTP in Biometric Activation
#7 Updated by yap chekying about 1 month ago
- Status changed from Pending UAT to Pending PROD
#8 Updated by yap chekying 13 days ago
- Status changed from Pending PROD to Closed
Released to production