Fiserv recently had to fix a weakness in its web platform that provided non-actionable event messages for a small number of customers.
As a major provider of technology services to financial institutions, Fiserv powers websites for hundreds of financial institutions. In fact, research shows the company is the top bank core processor, with more than 37 percent market share.
Two weeks ago, security researcher Kristian Erik Hermansen contacted KrebsOnSecurity about an issue he discovered while logged into an account at a small local bank that uses Fiserv’s platform.
“Hermansen had signed up to get email alerts any time a new transaction posted to his account, and he noticed the site assigned his alert a specific ‘event number.’ Working on a hunch that these event numbers might be assigned sequentially and that other records might be available if requested directly, Hermansen requested the same page again but first edited the site’s code in his browser so that his event number was decremented by one digit,” wrote Brian Krebs in a blog post. “In an instant, he could then view and edit alerts previously set up by another bank customer, and could see that customer’s email address, phone number and full bank account number.”
Krebs added that he was able to replicate Hermansen’s findings and view email addresses, phone numbers, partial account numbers and alert details for other customers simply by editing a single digit in a web page request.
After being notified about the issue, Fiserv said in a statement that the problem was caused by an issue with “a messaging solution available to a subset of online banking clients.” The company declined to say exactly how many financial institutions may have been impacted.
“On August 28, 2018, a blog post discussed a one-way messaging feature on a limited number of bank websites impacting a very small percentage of our clients. Upon learning of the issue, we promptly developed a patch to update the feature, deployed the patch to clients and confirmed the patch resolves the issue. Ongoing research and monitoring has not identified, nor have we received reports of, any adverse consumer impact related to this matter. Fiserv recognizes the importance of security and takes all security concerns seriously,” Fiserv noted in an emailed statement.