Identifying a Critical eKYC Vulnerability in a B2C Service Provider

Background

The Process

1. Creating a Legitimate Account (User B)
   • Our pentester first created a new customer account (User B), completed the eKYC process using a valid face scan and national ID, and intercepted the first login token issued during this session.
   • This token, intended for User B, became the key to a more profound vulnerability.
2. Intercepting Sensitive Data
   • Next, the tester logged in with User A's credentials, which had been provided as part of the grey box test.
   • It’s worth noting that, in the real world, such credentials are often compromised via social engineering, phishing, or black-market leaks.
   • During login, we intercepted the POST request to the login API and found it leaked sensitive personal information—including User A’s National Citizen ID and PII—in the response payload.
3. Token Injection Attack
   • The tester modified the intercepted login request by injecting the first token from User B's session into User A’s login attempt.
   • As a result, the system believed the session belonged to User A, but the token was associated with User B’s verified session.
   • This misalignment in session handling effectively bypassed the eKYC process.
4. Full Account Takeover
   • The tester then received a second authentication token from the system and was granted full access to User A’s account, with a successful 200 OK response.
   • On the surface, the interface showed a normal login flow—while in reality, an impersonation had just occurred.

Lessons Learned & Remediation

• The API was redesigned to enforce proper token/session validation.
• Additional checks were added to ensure session integrity between tokens and user identities.
• Sensitive data was removed from all login responses.