D2
Администратор
- Регистрация
- 19 Фев 2025
- Сообщения
- 4,380
- Реакции
- 0
Today, I have finally decided to write this article for all Spanish and xss.is readers. Banco Cetelem SAU has been experiencing various hacker attacks since mid-2023, and today I aim to explain the types of actions taken against the financial company and how it has responded to them.
Since mid-2023, Cetelem has been subject to different brute force attacks via the mobile API, resulting in server downtimes and customers being unable to log in until the servers were restored. The sysadmin's best solution was to change the API up to three times. These hackers were drawn to Cetelem due to the simplicity with which it provided its customers' data. After logging in and debugging the requests made, one could see the customers' credit card information, expiration dates, and all personal data without any censorship. This led to countless complaints from customers, to which the company was never acknowledged or provided an explanation.
After one month, we identified another failure in the website whereby making different requests to the login and changing the IP address could completely bypass any type of security (2FA), allowing access to customer data. Shockingly, this vulnerability remains active to this day. (Image Of OpenBullet software parsing the credentials)
Additionally, a vulnerability was discovered by me and a friend, allowing us to retrieve customers' email, name, and date of birth through a simple request using the NIF of any client.
We demand Cetelem to return the customers' money as it is a failure that they have committed and to cease ignoring the failures they have. I hope that one day you will deign to respond to the emails in which we wanted to reach an agreement.
Best Regards - R4nsom
Since mid-2023, Cetelem has been subject to different brute force attacks via the mobile API, resulting in server downtimes and customers being unable to log in until the servers were restored. The sysadmin's best solution was to change the API up to three times. These hackers were drawn to Cetelem due to the simplicity with which it provided its customers' data. After logging in and debugging the requests made, one could see the customers' credit card information, expiration dates, and all personal data without any censorship. This led to countless complaints from customers, to which the company was never acknowledged or provided an explanation.
After one month, we identified another failure in the website whereby making different requests to the login and changing the IP address could completely bypass any type of security (2FA), allowing access to customer data. Shockingly, this vulnerability remains active to this day. (Image Of OpenBullet software parsing the credentials)
Additionally, a vulnerability was discovered by me and a friend, allowing us to retrieve customers' email, name, and date of birth through a simple request using the NIF of any client.
We demand Cetelem to return the customers' money as it is a failure that they have committed and to cease ignoring the failures they have. I hope that one day you will deign to respond to the emails in which we wanted to reach an agreement.
Best Regards - R4nsom