SEB Estonia Internet bank ID card authentication bypass скачать в хорошем качестве

SEB Estonia Internet bank ID card authentication bypass

The flaw in SEB Estonia Internet bank allows to login just by knowing the victim's username. The consequences of the flaw go beyond the read-only access to victim's transaction history. The victim can be impersonated in any website that supports authentication through SEB (eesti.ee, mnt.ee, tele2.ee, etc.). The flaw can be abused to buy goods from online merchants (as shown in the video) since SEB does not require signature authorization for "banklink" transactions. Timeline: 2015.05.11. 13:00 - reported to CERT-EE 2015.05.14. 12:00 - fixed by SEB Estonia The flaw is caused by allegedly misconfigured F5 BIG-IP LTM server's failure to verify signature of the X.509 certificate received in the ID card authentication process. The proof-of-concept video shows how victim's original certificate is retrieved from the public LDAP directory and certificate's public key is replaced with a public key from a freshly generated RSA keypair. The modified "fake" certificate is then imported in the browser and submited in the authentication process. In 2013 a similar flaw was found in Swedbank Estonia Internet bank:    • Swedbank Estonia Internet bank ID card aut...   More about practical issues deploying ID card authentication: https://kodu.ut.ee/~arnis/tlscca.pdf