Security Flaw in Swish reveals transaction history of other users.
This was noticed by a security researcher from Nullbyte.
The implementation of Mobile BankID in Swish consisted of an authentication request that would return a reference number.
The same request would be executed again, after the user authentication, containing the reference number.
An authenticated user could retrieve any other users complete transaction history simply by changing the MSISDN in the request.
The Swish server never checked whether the user was authorized to make that request or not.
However HIQ has taken cognizance of his research and the flaw has been eliminated as of now.
A short week later the vulnerability was fixed and everyone was happy again.
source: www.techworm.net
