HDFC bank hacked, bank claims vulnerabilities fixed

One of India’s premier banking institutions, i.e. HDFC bank reportedly suffered a hack affecting its customer database system. Citing a threat of a critical level was discovered on the 15th July, 2011 by team zSecure. News of the vulnerability was immediately notified to the bank by the zSecure team through an email. A vulnerability called 'Hidden SQL Injection Vulnerability' had apparently gripped HDFC bank's customer database. According to the blog post by zSecure, the vulnerability allowed the hackers to have total control of the information they wished to access. Hackers could create a dump and easily carry out shell uploading, too. 

The affected database (Image credit: zSecure)

The post further revealed that the mail notifying the bank of the critical vulnerabilities was replied to, a good 22 days later. Furthermore, the reply mail stated that they (HDFC bank) had looked into the vulnerability and had fixed it, which later was proved to be a false claim. A reply to the second mail read, "We have remediated all the vulnerability reported on our website. Also we have got the application vulnerability assessment performed through one of our third party service provider and they confirmed that there are no more SQL Injection vulnerability."

The zSecure post ended with an optimistic - ".....finally the vulnerable file was removed from HDFC’s web-server."