Summary

Due to a logic flaw in Oracle's FlexCube Direct Banking application, it was possible to enumerate usernames, and then reset said user password, and transaction pin, granting full access to the victim user's account.

This would have (and probably has) allowed for a malicious attacker to drain any account that is behind the application. To make things worse, this is a shockingly simple vulnerability, which should have been picked up by simple bounds testing before application release.

This vulnerability has been patched in the April 2016 CPU, users of the banking application should update their sites as soon as possible. The developer was notified in January 2016. Non-authenticated, remote users can exploit this.

Classification / Timeline

Classification:

Type Authentication
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-640
CVSS Score 9.1
CV/E-Number CVE-2016-0699

Timeline:

Vendor Notified 29-01-2016
Vendor Patch 19-04-2016
Publicly Published 19-04-2016
Last Updated 19-04-2016