The Indian hacker who discovered the flaws, didn’t take advantage
Not all hackers are bad actors. In November 2015, an Indian hacker discovered some serious flaws in a banking app, but instead of making off with some nice $25 billion in his pockets, he reported the vulnerabilities to the bank. It seems that there is hope for ethics over money.
Sathya Prakash, a security researcher from India, detected a number of critical flaws in a mobile banking app of an undisclosed bank. The vulnerabilities he found allowed anyone with a bit of coding knowledge to steal money from all the customers of the bank. And that was possible just with the help of a few lines of code.
It seems that there is hope for ethics over money.
What Prakash discovered is a quite common problem for mobile applications. He found out the app had a lack of Certificate Pinning, this way exposing users to man-in-the-middle attacks. Such vulnerability would easily allow attackers to manipulate the bank accounts by using fraudulently issued certificates. The Indian expert also detected a serious issue, related to the authentication process. That could be exploited by attackers to make money transfers, access account balance and perform all operations on behalf of the bank customers.
It these flaws were discovered by hackers with malicious intentions, they would have surely made some fast $25 billion from sucking out the deposits of the customers. Prakash, however, immediately contacted the bank which owns the app and informed about the serious vulnerabilities he discovered. Not only that, be he also cooperated with the security experts to help them fix the flaws. The bank got really lucky that Prakash acted ethically, unlike anyone with cybercriminal background that could have easily taken advantage of these security holes. However, the ethical hacker did not receive any reward from the bank for his responsible deed, nor he got any compensation for the support he provided for patching the flaws.