Varun Agrawal

A massive security flaw in Angel Broking stockbroker which let you see profile information and uploaded documents for their customer

This flaw will let you see the personal details including name, date-of-birth, family member details, PAN card, bank account number, as well as their uploaded documents including signature, address proof, bank statement.

Update:

They have got in touch with me, and have fixed the issue. As such, this demo is not working anymore.

Version 2:

This is a more sophisticated version of the same vulnerability. This example shows how to get full details of any user by phone number programmatically at bulk. For the safety of existing users, I am not writing the steps to reproduce vulnerability at large. Instead, I am writing a captcha protected PoC which can be used to confirm the vulnerability by anybody.

Visit this URL: https://apps.varunagw.com/AngelBroking.php

Test phone number: 9324116954

Version 1:

Here is how you will reproduce it.

  1. Visit this https://www.angelbroking.com/open-demat-account
  2. Enter the phone number you want to view details for (it must be already registered with them)
  3. If they signed up for the platform, you will get all their details and see the documents they uploaded. They don’t do any mobile number OTP verification before showing you the details.

For proof: I created a dummy profile using 9324116954. Try entering this number in the form. Don’t worry it’s an unused phone number from angel broking support team, so no harm to anyone.

This is a direct link to the form generated using the aforementioned phone number

The example shows the account which is not fully created. While I am yet to test for a fully created account, I think it might also work for them too (although with some extra complicated steps).