Vulnerable Software: UTI Mutual fund Android Application
Vulnerability: Username Enumeration
Affected Version: 5.4.28
Patch Status: Not Released (as of December 3, 2021)
Vendor Homepage: https://utimf.com/
CVE: CVE-2020-11561
CVE Author: Tejas Nitin Pingulkar
Exploit Available: POC available
About Affected Software
Investing in Mutual Funds is now easy with the UTI MF (UTI Mutual Funds) App. It gives you a hassle-free experience to invest in any mutual fund scheme of your choice from anywhere, anytime, with just a few clicks. The paperless transactions allow new investors to start a SIP or invest a lumpsum with ease.
Exploit
When an incorrect username (one that does not exist) is entered, the application responds with “We are unable to recognize the use user id entered.” If the valid username is entered and an invalid password is provided, application responds with “the password entered is incorrect,” which assists the attacker in enumerating valid usernames.
Proof Of Concept
The first screenshot shows that the user exists
The second screenshot shows that the user does not exist
