zSecure, IT security research group, has claimed to have detected vulnerabilities in HDFC Bank‘s website. According to a blog post on zSecure’s security blog, a Hidden SQL Injection Vulnerability was detected by the group on 15th July 2011, that could give hackers access to the bank’s complete database, and lead to confidential user data being compromised. The blog post also features three screen-shots of some MSSQL databases, including a database consisting of information related to the bank’s branches.
The group claims that HDFC Bank took 22 days to respond to it, when it reported the vulnerability to it, and that it was not able to fix it in the first attempt. Later, zSecure sent complete inputs about the vulnerability to the Bank’s security team, after which it was fixed. The group also said that HDFC in its reply mentioned the use of a third-party service provider for its site’s security. Note that MediaNama is unable to verify any of the claims made by zSecure, the authenticity of the screenshots, and whether this level of access indicates a serious security breach.
We do however, feel concerned about access to customers’ bank accounts, since this may lead to not just access to private information but also financial loss, if these reports are true.
Earlier, zSecure had claimed to have detected vulnerabilities in three other Indian websites: Sify.com (screenshots), TimesOfMoney (screenshots) and brokerage house Sharekhan.com (screenshots), using an SQL injection technique. TimesOfMoney had said that it was protected against any kind of network penetration due to stringent policies followed and that it had once again tested its infrastructure for the named vulnerability, and had seen no evidence of breach.