Hello Andriy and Bugtraq! It's interesting issue in LiqPAY. Which was quickly fixed by Privat Bank after your disclosure. Even if they denied to fix it (as not issue in their opinion) at 22 March 2010, when you officially informed them, already at 27 March 2010 they fixed it, by adding site's address into the text of sms. Even at 11 March 2010 they changed their default text of sms and added into it the suggestion to not pass password to third party. All these changes will not eliminate all forms of phishing, but still is an improvement of sms-message. So there was an effect from your informing and disclosing of this vulnerability ;-) and Privat Bank fixed it. This is that rare case when they fixed the holes which they were warned about. Because they ignored all my warnings to Privat Bank during 2008-2010 about multiple vulnerabilities at many of their sites (and so didn't answer and didn't fix the holes). Also interesting that this issue is similar to one of issues of Privat Bank's Privat24 for Facebook, which you disclosed recently (http://lists.grok.org.uk/pipermail/full-disclosure/2010-October/076834.html). And if they fixed issue with sms in case of LiqPAY, then they didn't fixed it in case of Facebook version of Privat24. Which is strange, because they could quickly fixed text of that sms-messages, as they early did for their LiqPAY system. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua Insecure SMS authorization scheme at LiqPAY micro-payments of PrivatBank (Ukraine) Mar 22 2010 05:38PM Andriy Tereshchenko (tag 24 odessa ua)
1) Affected Service * LiqPAY micro-payment system from PrivatBank, Ukraine 2) Severity Rating: Moderate (need user actions) Impact: Exposure of sensitive financial information and unauthorized access to system Where: Remote (man-in-the-middle)
