Skip to content

Laransec/Mobicint

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

Mobicint

Information Disclosure in Mobicint API for Credit Unions

Summary:

Information regarding members is disclosed unnecessarily to an attacker. This information can be enumerated easily and provide an attacker partial email addresses as well as customer entered information. This can be combined with a member id number to lead to possible account compromise. There is a possibility for further injection but I have not investigated due to lack of a security disclosure program or contact with the company.

Steps To Reproduce:

Post data to the forgot password page in the memberID Field. The ID corresponds to the member number of actual credit union members. Posting Data

Data is returned. The Label field is user generated and can contain sensitive information if the user has entered it. The address field is partially redacted.

Returned Data

Possible Impacts:

Personal information can be compromised if the customer has entered it into the notes field. Further RCE may be possible as I was able to get a stack trace with some malformed input. I did not continue testing due to lack of documented security testing policies.

About

Information Disclosure in Mobicint API for Credit Unions

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published