Title: NLB mKlik Makedonija 3.3.12 SQL Injection
Advisory ID: ZSL-2023-5797
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (3/5)
Release Date: 14.10.2023
NLB mKlik е мобилна апликација наменета за физички лица, корисници на услугите на НЛБ Банка, која овозможува преглед на различните продукти кои корисниците ги имаат во Банката како и извршување на различни видови на трансакции на едноставен и пред се безбеден начин во било кој период од денот. NLB mKlik апликацијата може да се користи со Android верзија 5.0 или понова.
The mobile application or the affected API suffers from an SQL Injection vulnerability. Input passed to the parameters that are associated to international transfer is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and disclose sensitive information.
NLB Banka AD Skopje - <https://www.nlb.mk>
3.3.12
Android 13
[23.12.2022] Vulnerability discovered.
[23.12.2022] Vendor contacted.
[26.12.2022] Vendor responds asking more details.
[28.12.2022] Sent details to the vendor, not encrypted. Asked for confirmation and next steps.
[28.12.2022] Vendor thanks us for the cooperation.
[06.01.2023] Asked vendor for update and plan for fix mob/web?
[09.01.2023] Vendor informs that our request has been received and will be reviewed within the responsible department. After the department responds we will be notified.
[20.01.2023] Asked vendor to provide status update and confirmation and to communicate more often.
[23.01.2023] Vendor informs that our request is sent to the responsible department. After the department responds we will be notified.
[13.10.2023] No response from the vendor.
[14.10.2023] Public security advisory released.
[16.10.2023] Vendor responds: Regarding the post on your link page, we would like to refute the claims of alleged vulnerability of NLB Bank’s mKlik application. NLB Bank is continuously working on improving the functionality of its services and information security, and we approach all remarks with great seriousness and make a detailed analysis of the situation. Therefore, allow us to inform you and the public with whom the news was shared that, in the case you state, it is an inappropriate user display, which was immediately corrected after we detected it. In the interest of objective and transparent reporting to the public, we kindly request you to share this notice with your esteemed audience.
[17.10.2023] Replied to the vendor.
[17.10.2023] Automatic response from the vendor: [email protected] - Your message can’t be delivered because delivery to this address is restricted. ¯\(ツ)/¯
Vulnerability discovered by Neurogenesia - <[email protected]>
[1] <https://play.google.com/store/apps/details?id=hr.asseco.android.jimba.tutunskamk.production>
[2] <https://packetstormsecurity.com/files/175113/NLB-mKlik-Makedonija-3.3.12-SQL-Injection.html>
[3] https://nlb.mk/За_Банката/За_медиумите/Соопштенија_за_јавност.aspx
[4] <https://cxsecurity.com/issue/WLB-2023100040>
[14.10.2023] - Initial release
[17.10.2023] - Added vendor status and reference [2] and [3]
[18.10.2023] - Added reference [4]
Zero Science Lab
Web: <https://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>NLB mKlik Makedonija 3.3.12 SQL Injection
Vendor: NLB Banka AD Skopje
Product web page: https://www.nlb.mk
Google Play: https://play.google.com/store/apps/details?id=hr.asseco.android.jimba.tutunskamk.production
Affected version: 3.3.12
Summary: NLB mKlik е мобилна апликација наменета за физички лица,
корисници на услугите на НЛБ Банка, која овозможува преглед на
различните продукти кои корисниците ги имаат во Банката како и
извршување на различни видови на трансакции на едноставен и пред
се безбеден начин во било кој период од денот. NLB mKlik апликацијата
може да се користи со Android верзија 5.0 или понова.
Desc: The mobile application or the affected API suffers from an SQL
Injection vulnerability. Input passed to the parameters that are
associated to international transfer is not properly sanitised before
being returned to the user or used in SQL queries. This can be exploited
to manipulate SQL queries by injecting arbitrary SQL code and disclose
sensitive information.
Tested on: Android 13
Vulnerability discovered by Neurogenesia
@zeroscience
Advisory ID: ZSL-2023-5797
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5797.php
23.12.2022
--
Incident ID: ZSL-122022-NLBTHR
------------------------------
DB data disclosure PoC (international transfer details/description trigger):
++
[select alfa1+' девизен прилив' opis from pts (nolock) where unikum =dbo.dodajnuli(:unikum ,14) and kod = 15111]
-
</p></body></html>