Every secure technology platform will often have a chink in its armour. Sometimes they are very small and easily mended. At other times, they are gaping and severe. Recently, one has been found in Zenith Bank’s Insurance platform. And it’s been there for a while.

At least since April, according to Jibola Oseni, the one who’s reported it to TechCabal. The flaw leaves the platform wide open to a privilege escalation hack. Jibola, who is also a fairly hardcore computer engineer himself was buying travel insurance for an intended trip to France when he found it.

What is a privilege escalation?

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions — Wikipedia.

Something was not quite right with the URL, says Jibola. It wasn’t constructed properly and pointed to faulty architecture. On closer observation, he discovered that by merely editing the URL string, he could grant himself administrator level access to the platform and view records that he ordinarily shouldn’t be able to.

To support his claim, Jibola sent in a number of very convincing screenshots of customer information which should be privy to all except their owners. We’ve published just two and taken care to anonymise personal information.

zenith insurance hack 2

zenith insurance hack 1


Jibola reported the issue to Zenith Bank staff, and after reaching the one supposedly in charge he says he was basically blown off. According to him, it’s almost as if they don’t know how to fix it and keep giving him the run around in hopes that he will just forget about it.

“Even last week, I was in touch with them, and I was given a cock and bull story about how a contractor is working on it”.

But Jibola maintains that the vulnerability is still there. And all he’s got to show for his efforts is getting his phone number and email address banned from the technical support channel.

We have reached out to Zenith Bank for comment on this development, and as the time of publishing, we are still awaiting their response.

Read this next
More From TC
The Next Wave
28th September 2020

An exclusive West African Disney deal SEPTEMBER 27, 2020 This newsletter is a weekly in-depth analysis of tech and innovation in Africa that will serve as a post-pandemic guide. Subscribe here to get it directly in your inbox every Sunday at 3 pm WAT. Hello, Last week I was away on a much needed break […]

Features, Technology
25th September 2020

Short answer? It depends. Long answer? There are more critical things to worry about. At least, that is what experts and experience with advanced technologies like this say, especially  if you live in Africa. If you write things—news articles from standard press releases or reportage from a war zone, code, poetry, communiques, fiction—if you write […]

TechCabal is a Big Cabal Media brand

Copyright © 2020
All rights reserved

Privacy & Terms