LFI vulnerability allegedly found in website of Barclays/RBS

News by Roi Perez

A hacker going by the name of CyberZeist is claiming to have found a Local File Inclusion vulnerability in the website of "many UK banks".

A hacker going by the name of CyberZeist is claiming to have found a Local File Inclusion vulnerability in the websites of “many” UK banks, providing screenshots of his attack on Twitter, so far only for the websites of Barclays and Royal Bank of Scotland.

Describing himself as a BlackHat, CyberZeist told SCMagazineUK.com that he plans to, “use the exploit to steal data”, after which “half will be leaked online” and, “the other half will be up for sale for Bitcoins.”

A Barclays spokesperson responded to the claims saying: “We are aware of CyberZeist's tweets and have completed an investigation. The results show that our systems are secure and have not been compromised.” According to CyberZeist that is correct as he is yet to carry out the attack.

RBS was contacted for comment but did not respond in time for publication. 

When SC asked for proof of the vulnerability, CyberZeist initially avoided providing any as he claimed the vulnerability is a zero-day, but then provided this screenshot.

CyberZeist told SC: "This is the result of running, 'uname -a' equivalent via the LFI vulnerability. Linux versions can be seen in the body and title bar. HTML markup is broken while running the exploit so the errors are shown. The same vulnerability exists in the RBS website." 

Barclays were sent the screenshot and said they are reviewing it.

SC spoke with a number of security experts who said the screenshots look 'real enough' and because of how good the vulnerability is, one even doubted it was CyberZeist who found it. 

Commenting on the pictures CyberZeist posted to Twitter, Matthew Hickey, who normally goes by the name of HackerFantastic, founder of the HackerHouse told SC: “Providing the pictures are not fake, this looks like the attacker has an arbitrary file download capability on servers hosting those bank pages."

Lewis said this would allow an attacker to “read arbitrary files containing information such as passwords and potentially cryptographic keys or other data.”

CyberZeist seems to be no stranger to these sorts of occurrences, back in 2012 he claimed to have hacked G4S, and a few hundred US federal employees, as well as wiping John Podesta's iPhone.

He previously tweeted about cracking password of staffers from ex-presidential nominee Hillary Clinton.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews