Toka Poisa, A big security disaster ?

 

 

Disclaimer:


This is not a hacking attack. Yesterday ( 11/1/2017) government of assam launched an e-Wallet, Tokapoisa.in, to enable the people of the state for hassle-free online transactions in local language.

I have found a serious security flaw in it yesterday itself ,which could be used to completely take over anyone's account. I reported it to Amtron through Special Branch of Police,  Assam as the email id that was mentioned in the official website ( http://tokapoisa.in/ ) was not working and i also tried to contact amtron from the email id that was provided in amtron's official website ( http://amtron.in/ ) which too was surprising not working. 

The flaw is fixed now . Since the flaw is fixed I'm making a public disclosure here so that others in the community can learn from it . This is ethical hacking ( healthy and legal ). Please do not misunderstand it to be hacking attack. 




On 11th January 2017, Assam Government launched an e-wallet Tokapoisa.in, to enable the people of the state for hassle-free online transactions in local language. The e-wallet is a joint venture developed by State's Assam Electronics Development Corporation Limited ( Amtron ), and ICICI Bank. Soon many news portals covered the news . So as a security researcher I too was curious to see how this platform works.

Since it involves money transaction I was sure that it will be secured one but i was mistaken. The security level of the platform was too poor. Anyone with a little knowledge of hacking could easily bypass its security features and misuse it. Such flaws can be considered if the app is in testing phase but the app was launched and made public which clearly indicates that they failed to recognise such basic flaws during their testing phase !

So here are the flaws : 


( I have reported the flaws and it has been fixed today )

Flaw 1 ( Serious )


Flaw name : Bypass OTP Verification while sign in

The best thing about the site is that there is no password verification, user needs to enter their phone number and an OTP is sent to their phone and once they enter the OTP, user can sign in.

Only one level of authentication is used which is OTP. So if an attacker bypass the otp he can have access to anyone's wallet and misuse it. Once he is inside , he can make payments , steal money etc.
While registering it does not ask the user to verify, which means an attacker can register anyone's number.

Now let us assume that an user have already created an account ,then an  attacker can  login to a specific user's account to make payments on his behalf or steal money etc.

Here is the Proof of concept 




This was possible because there is no limit set for the number of times an attacker can enter invalid otp due to which an attacker can easily brute force it and get full access to anyone's account and money.


Flaw 2 ( low impact )


Flaw name : Directory listing

There was a directory listing flaw in the website by which an attacker can see all the files that are in the directory . this flaw can be used to know about files that are inside the directory even if they are not mentioned anywhere in the site. So it gives a good idea about all the files that are hosted in the directory.



Flaw 3 ( medium)


There is no SSl certificates in the site. The site deals with money and transaction and yet it runs on http and not https. SSL Certificates provide secure, encrypted communications between a website and an internet browser. SSL stands for Secure Sockets Layer, the protocol which provides the encryption. SSL Certificates are typically installed on pages that require end-users to submit sensitive information over the internet like credit card details or passwords. But here in tokapoisa site there is no SSL which means that the connection is not secured and is unencrypted and anyone can perform a man in the middle attack and get sensitive information from it.  This is the first website i have seen which deals with money and dont have a SSL certificate.

Miscellaneous


Tokapoisa have launched an Android app which is not exactly an app because it is just an web viewer which displays the site. there is nothing special in the android app. When you open the app it just shows you the webpage thats all, which means anyone can create the exact same app. This can be dangerous because they have not yet launched it in any app store so if an attacker creates an app which displays the website inside the app no one can differentiate it with the original one and the attacker can take this advantage and add malicious codes in his version.


When I Found the flaw I first prepared a report on it and mailed it to the email ID that was provided in the tokapoisa website ( appsupport@amtron.in ) but the delivery failed as they have not configured the mail service.

Then I mailed it to the General Manager of Amtron (



30.94 million ( population of assam - 2012 ) could be at risk .

So I did my bit to secure the platform. Hope it benifits the people of assam.