A security researcher has discovered an unprotected server of India’s largest, State Bank of India (SBI), which could potentially let anyone access details such as phone numbers, bank balance of customers. According to a report in TechCrunch, the server, which was hosted in a regional Mumbai-based data center, has now been secured by the bank.
The flaw in the server was discovered by a security researcher who did not wish to be named but told the website about the problem.
The server that was exposed was that of SBI Quick, which is the bank’s SMS service that lets its users request for their account balance, last five transactions, loan queries, etc via a text message. However, the server that stores millions of such text messages each day, was not protected by a password, according to the report.
“The passwordless database allowed us to see all of the text messages going to customers in real time, including their phone numbers, bank balances and recent transactions. The database also contained the customer’s partial bank account number,” TechCrunch said in its report.
It is unclear the exact time period for which the server remain unprotected. It reportedly had daily archives of text messages as well, including messages sent out in December last year. On a particular day alone, SBI Quick sent out around three million text messages.
India-based security researcher Karan Saini told the site that the data could potentially lead to financial fraud or used by attackers to identify high-value targets based on their bank balance, given the unprotected server also exposed information like bank balances and phone numbers of SBI Bank customers.
SBI has not officially commented on the issue so far. TechCrunch had also said that they managed to verify this data and that it was not dummy data.