One Time Password (OTP) has become the new security feature on most of the websites, including the banks. This feature allows a user to make online transactions after the identity of the customer is verified by putting the OTP password sent to the registered mobile number from the bank. But who knew this security feature could be easily bypassed and lead to huge loss of money.

A white-hat hacker, bug bounty hunter and web application security researcher, Neeraj Edwards shared his research on how he could easily bypass the OTP of one of the most popular bank, State Bank of India (SBI) and could make the transaction with any amount.

While making a transaction, the last page of SBI’s website shows a One Time Password screen where there is a parameter called ‘smartotpflag is set to Y i.e. smartotpflag=Y’.

Smartotpflag parameter is used to generate OTP, and Y represents ‘yes’ to send the code to the registered mobile. However, the risk factor arises if someone changes ‘Y’ to ‘N’ which means ‘No’. The transaction then will be completed without entering the OTP.

Though after Edwards discovery, the vulnerability was patched but it was highly disappointing that the person who could have easily benefited from this vulnerability, but choose not to, was neither rewarded nor acknowledged for his work.

The press too could not make this important news to the papers, thus keeping the public in dark and keeping the discoverer from any achievement.

The POC Video:
https://www.youtube.com/watch?v=2kYm1G2jBcM