HDFC Bank slow to fix security bug
By Bala Shah

zSecure is a dedicated IT Security Research Group established in January 2010. zSecure says that its ‘primary aim and interest is to do security research in a responsible manner. All our work is geared to make the digital world more secure.’ So, what happened when the well meaning zSecure team found a very serious security flaw in one of India’s most high profile banks – HDFC ?

The Housing Development Finance Corporation Limited (HDFC) was amongst the first to receive an ‘in principle’ approval from the Reserve Bank of India (RBI) to set up a bank in the private sector, as part of the RBI’s liberalization of the Indian Banking Industry in 1994. The bank was incorporated in August 1994 in the name of ‘HDFC Bank Limited’, with its registered office in Mumbai, India. HDFC Bank deals with three key business segments. – Wholesale Banking Services, Retail Banking Services and Treasury. It has entered the banking consortia of over 50 corporates for providing working capital finance, trade services, corporate finance and merchant banking. It is also providing sophisticated product structures in areas of foreign exchange and derivatives, money markets and debt trading and equity research.

zSecure has blogged about their experience with HDFC Bank after they discovered a critical hidden SQL Injection vulnerability which would allow hackers to have complete access to the HDFC database

“
General Information Website: hdfcbank.com
Vulnerability Type: Hidden SQL Injection Vulnerability
Database Type: MSSQL with Error
Vulnerability Discovered: 15-July-2011
Alert Level: Critical
Threats: Complete Database Access, Database Dump, Shell Uploading

Our Experience with HDFC Bank

The aforesaid vulnerability was discovered on 15-July-2011 and was reported on 17-July-2011 (reminder sent on 24-July-2011). The HDFC Bank’s team took around 22 days to respond to our e-mail and their first response came on 08-August-2011 with a message:

“Thank you for sending us this information on the critical vulnerability. We have remediated the same.“

After their e-mail, we again checked the status of said vulnerability and found that the vulnerability was still active on their web portal. We immediately replied to their email with additional proof of vulnerability and asked them to fix the same asap. Later on, after 2 days we again received an e-mail from their team with a message:

“We have remediated all the vulnerability reported on our website. Also we have got the application vulnerability assessment performed through one of our third party service provider and they confirmed that there are no more SQL Injection vulnerability.“

Their above response left us with an unexpected surprise. We were not able to believe that such a big organization doesn’t have proper vulnerability assessment in place because we already reported the vulnerability to them and even after conducting vulnerability assessment from a third party (as claimed) they were not able to find the active vulnerability in their web-portal.

Thereafter, we sent complete inputs about the vulnerability to their security team and finally the vulnerable file was removed from HDFC’s web-server.
“