Account Logon interface is not strictly controlled, leading to Information Leakage

Account Logon interface is not strictly controlled, leading to Information Leakage

An API of co-production online is not strictly controlled, leading to brute force cracking and leakage of personal information!

1,

Hepai Online mobile terminal http://m.he-pai.cn/login/logining is used to verify the user name and password submitted by the post, but there is lax control, can be unlimited number of login attempts, as a result, the social engineering database can be used for password-hitting attacks. As a result, the account is controlled.

POST /login/logining HTTP/1.1 userName={usrname}&password={pwd}&verifyCode=&type=getvc

In the afternoon, I downloaded an earlier database of a certain region and randomly selected a 100 password. I cracked the database hit by about usernames on the webpage investment page or the third point. At least two passwords can be cracked. Log on to one of them for the next experiment.
 

2,

By the previous get user name and password on the computer normal login, in the URL: http://www.he-pai.cn/phone/memberCenter/selphongbinding.do should be hidden phone number information even through viewing the source file can be directly obtained. Likewise

The bank card number information that the http://www.he-pai.cn/bank/memberCenter/selbank.do should have hidden can be directly obtained by viewing the source file.

So far, this person's privacy information except his ID card can be obtained successfully!
 

 

 

3,

(The technical staff think this defect is irrelevant. If it is important or not, the details should not be made public or at least an asterisk should be made public .)

Http://www.he-pai.cn/lntpayplandetail/memberCenter/selContract.do for the contract call interface, the interface seems to judge the user's cookie, but not control the interface, in this way, you can obtain the "debit and debit amount list" in the loan model you have invested (only when the user has invested in the list ), the detailed list records a series of private data such as the real name, user name, ID card, and investment amount of all investors of the subject.
Http://www.he-pai.cn/lntpayplandetail/memberCenter/selContract.do? CN_FL_NO = CTxxxxxxxxxxxxxx & CN_STS = 0

This interface receives the CN_FL_NO parameter as the last 14 digits of CT. By simple judgment, you can know the approximate range of the detail table. You can obtain the detailed list by batch submitting URLs for this range through the small software.

Here we provide two "detail tables"
Co-production label: 201410150017 http://www.he-pai.cn/investmentDetail/investmentDetails/view.do? Ln_no = JK14101500897668

Corresponding schedule URL: http://www.he-pai.cn/lntpayplandetail/memberCenter/selContract.do? CN_FL_NO = ct20151115056994 & CN_STS = 0 co-production label: 201409250006 http://www.he-pai.cn/investmentDetail/investmentDetails/view.do? Ln_no = JK14092500644774 corresponding schedule URL: http://www.he-pai.cn/lntpayplandetail/memberCenter/selContract.do? CN_FL_NO = CT20140925036331 & CN_STS = 0

 

You can use a detail table to hit a specified person in the database. If the user is successful, the user's privacy will be lost. The security of funds may be compromised and a new social engineering database may be formed by sales.

Solution:

Filter