One Time Password (OTP) has become the new security feature on most of the websites, including the banks. This feature allows a user to make online transactions after the identity of the customer is verified by putting the OTP password sent to the registered mobile number from the bank. But who knew this security feature could be easily bypassed and lead to huge loss of money.
A white-hat hacker, bug bounty hunter and web application security researcher, Neeraj Edwards shared his research
on how he could easily bypass the OTP of one of the most popular bank,
State Bank of India (SBI) and could make the transaction with any
While making a transaction, the last page of SBI’s website shows a One
Time Password screen where there is a parameter called ‘smartotpflag is
set to Y i.e. smartotpflag=Y’.
Smartotpflag parameter is used to generate OTP, and Y represents ‘yes’
to send the code to the registered mobile. However, the risk factor
arises if someone changes ‘Y’ to ‘N’ which means ‘No’. The transaction
then will be completed without entering the OTP.
Though after Edwards discovery, the vulnerability was patched but it was
highly disappointing that the person who could have easily benefited
from this vulnerability, but choose not to, was neither rewarded nor
acknowledged for his work.
The press too could not make this important news to the papers, thus
keeping the public in dark and keeping the discoverer from any