Every secure technology platform will often have a chink in its armour. Sometimes they are very small and easily mended. At other times, they are gaping and severe. Recently, one has been found in Zenith Bank’s Insurance platform. And it’s been there for a while.
At least since April, according to Jibola Oseni, the one who’s reported it to TechCabal. The flaw leaves the platform wide open to a privilege escalation hack. Jibola, who is also a fairly hardcore computer engineer himself was buying travel insurance for an intended trip to France when he found it.
What is a privilege escalation?
Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions — Wikipedia.
Something was not quite right with the URL, says Jibola. It wasn’t constructed properly and pointed to faulty architecture. On closer observation, he discovered that by merely editing the URL string, he could grant himself administrator level access to the platform and view records that he ordinarily shouldn’t be able to.
To support his claim, Jibola sent in a number of very convincing screenshots of customer information which should be privy to all except their owners. We’ve published just two and taken care to anonymise personal information.
Jibola reported the issue to Zenith Bank staff, and after reaching the one supposedly in charge he says he was basically blown off. According to him, it’s almost as if they don’t know how to fix it and keep giving him the run around in hopes that he will just forget about it.
“Even last week, I was in touch with them, and I was given a cock and bull story about how a contractor is working on it”.
But Jibola maintains that the vulnerability is still there. And all he’s got to show for his efforts is getting his phone number and email address banned from the technical support channel.
We have reached out to Zenith Bank for comment on this development, and as the time of publishing, we are still awaiting their response.