The other day I was browsing through a very renowned and govt. owned bank’s website, one of the largest bank of India. while browsing I thought “Is it possible that this website has some vulnerability that will take me to their database?” so, I decided to find out, links after links, pages after pages tested, but no luck then after 2-3 hrs of continuous testing, finally I found one link which has the characteristics of SQL Injection.
So now I had a link with Sql Injection in it, “What’s Next”, so I decided to take this thing one step further and created a Payload and decided to exploit this vulnerability. To my surprise finding the Vulnerable link was only the difficult part, exploiting the database was piece of cake. Now i was into a database of one Nationalized bank. after playing with it for few mins, I decided to inform the bank authorities about this vulnerability.
I wrote a mail to CIO keeping COO, CTO and CEO in CC and thought they will take care of this and will patch it. But again to my surprise when I tested the same link after 10 days, the vulnerabilities were as it is. So I thought to update about this again this time via twitter.
I got their reply after 6 days even on twitter, saying they’ll look into this matter. and the vulnerability is still intact.
After all this I was forced to think that “Why most of the People in India are not much concerned about their online security? Even when some one points out some vulnerability in their system.”
If you have any answer I’d love to hear that.