Woolworths Financial Services, Check Yo Self

If you want to know how I accessed a vulnerable production server and don't care for my 2c just scroll to the end. Let's start with how literally insane it is that no one at Woolworths has gotten back to me yet about this.


The Background

It all begins with SMSes to urgently pay my account before the payment due date. I contacted @WOOLWORTHS_SA and basically get shrugged off. Some time goes by and I check my emailed account statement which I stopped doing since I got their app.

Wut Password?

When your account statement is emailed to you, it is password protected.
The password being your ID number. When you view your statements in the app, you don't need a password. Which only meant, the statements are stored unprotected somewhere...

PCI DSS For Who?

InfoSec isn't easy, Information Security has existed before computers. There's maths, cryptography, randomness, and other things I'm not great at.
There's also common sense.

public static boolean isWoolworthsCard(String creditCard) {  
return creditCard.startsWith("486725") || creditCard.startsWith(Utils.SILVER_CARD) || creditCard.startsWith(Utils.GOLD_CARD) || creditCard.startsWith(Utils.BLACK_CARD) || creditCard.startsWith("600785");  
}

If you need code like this on the client-side app, STOP!

lol.txt

If you read the Terms and Conditions applicable to Woolworths Financial Services customers at https://m.woolies.co.za/?url=TermsAndConditions

Your duties:

Your account number and identity number operate as security and authentication measures. You must keep your account number and identity number secret. You must not disclose your account number and identity number to any other person.

You must take all reasonable precautions to prevent any person from accessing or using the Access channel. If you know or suspect that someone else has gotten hold of your details, you must immediately notify us.

Unauthorized use of your account details:

If another person gets hold of your account number or identity number, by whatever means, we will regard you as having authorized this person to use the access channel and to access your account on your behalf, unless you are able to prove that this person obtained the details because we were negligent, or because of internal fraud perpetrated at WFS.

Clearly they knew that their authentication mechanism was flawed from the start. Now visit,
http://m.woolies.co.za/Css/lol.txt
I uploaded that txt file as proof I have access to their production server.

How did I get access? There was a public folder containing the deployment script and private key to SSH into their AWS instance.


Sigh...
Woolworths please check yo self before you wreck yo self, for your customers including myself please take your online platform down till you'll fix these glaring issues.

If you're reading this and know someone at Woolworths, please share this post with them.

Lastly, if you're on AWS please use AWS Secrets Manager. On Azure use Key Vault, and if possible Managed identities for Azure resources.