Every secure technology platform will often have a chink in its armour. Sometimes they are very small and easily mended. At other times, they are gaping and severe. Recently, one has been found in Zenith Bank’s Insurance platform. And it’s been there for a while.

At least since April, according to Jibola Oseni, the one who’s reported it to TechCabal. The flaw leaves the platform wide open to a privilege escalation hack. Jibola, who is also a fairly hardcore computer engineer himself was buying travel insurance for an intended trip to France when he found it.

What is a privilege escalation?

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions — Wikipedia.

Something was not quite right with the URL, says Jibola. It wasn’t constructed properly and pointed to faulty architecture. On closer observation, he discovered that by merely editing the URL string, he could grant himself administrator level access to the platform and view records that he ordinarily shouldn’t be able to.

To support his claim, Jibola sent in a number of very convincing screenshots of customer information which should be privy to all except their owners. We’ve published just two and taken care to anonymise personal information.

zenith insurance hack 2

zenith insurance hack 1


Jibola reported the issue to Zenith Bank staff, and after reaching the one supposedly in charge he says he was basically blown off. According to him, it’s almost as if they don’t know how to fix it and keep giving him the run around in hopes that he will just forget about it.

“Even last week, I was in touch with them, and I was given a cock and bull story about how a contractor is working on it”.

But Jibola maintains that the vulnerability is still there. And all he’s got to show for his efforts is getting his phone number and email address banned from the technical support channel.

We have reached out to Zenith Bank for comment on this development, and as the time of publishing, we are still awaiting their response.

Read this next
More From TC
South East Asia shows there is still hope for bike hailing in Lagos
Business, ecosystem, Government, Mobile, News
19th February 2020

The bike hailing innovation is not unique to Lagos. The service originated from Southeast Asia, an emerging market that shares many characteristics with Lagos and Nigeria. In this region, bike hailing faces similar regulatory challenges. But things are more progressive.

TechCabal is a Big Cabal Media brand

Copyright © 2020
All rights reserved

Privacy & Terms