How I found a vulnerability in QIWI and earned $ 200

Once upon a time, I dreamed of becoming an information security specialist and diligently poked around various websites for vulnerabilities. My biggest victory was finding a vulnerability in the QIWI payment system, for which good developers gave me $ 200. As a result, the discovered problem was solved only 3.5 years after the complaint, and after that it became possible to tell the Universe about it. The funny thing is that I discovered this vulnerability completely by accident, and you could easily be in my place.



Back in 2015, I used QIWI virtual debit cards to order my little sister nishtyaki from AliExpress. The system was simple: you have some amount of money in your QIWI account, you click on the "Issue a virtual card" button and receive information for payments on the Internet. You get it in a clever way: something is visible in the web interface (the first and last 4 digits of the card number, expiration date), but the most interesting thing comes to you via SMS (8 middle digits of the card number, CVV2). Once something went wrong: the first and last 4 digits of the card number were still displayed in the web interface, and they suddenly began to arrive in SMS. The remaining 8 numbers, apparently, had to be figured out telepathically.



I am a simple person: I see a problem - I complain to technical support. The answer came to me very quickly: “This is a temporary error, experts are dealing with this situation. We apologize for any inconvenience caused." Okay!



After a couple of days, everything worked, but not in the same way as before. The first and last 4 digits of the card number were still sent to SMS, and the site now displayed the middle 8 digits.



Wait a minute, what if there is a security problem, I thought? Like any person from a big city, I have seen all sorts of checks in my life. They usually indicate the last 4 digits of the card number, which means that these data are not a secret. They are also often seen on sites where you enter and save your card details. A couple of times I saw cashier's receipts, where the first 4 digits were also indicated. Looking at my family's bank cards, I found they all had the same prefix. Also so-so secret, then. So, earlier secret data came via SMS, the site displayed public data, but now everything is the other way around!



I sat down at the computer and wrote a detailed bug report to the vulnerability search program, along the way googling all sorts of interesting things about bank card numbers. My main thought was: "Everything was good, but it became bad." After 9 months they gave me money for this, and after another 2.5 years they fixed the error and allowed the disclosure of the story. What can you do, sometimes you need to be able to wait! At the next iteration, QIWI applied a different concept, which seems to me more convenient and secure: to see all the details on the site, you need to enter the confirmation code from the SMS on it.



Anyone could have noticed and complained about this bug, including you, dear friend. As you can see, this did not require any specific knowledge of information security and even a special search for the problem, everything happened almost by itself.



Be cats, complain to developers about vulnerabilities and bugs, and everything will be fine for everyone!



The original was published in my blog on 03/23/19.



All Articles