Vulnerable Software: UTI Mutual fund Android Application
Vulnerability: Username Enumeration
Affected Version: 5.4.28
Patch: Not Released (03-December-2021)
Vendor Homepage: https://utimf.com/
CVE: CVE-2020-11561
CVE Author: Tejas Nitin Pingulkar
Exploit Available: POC available
About Affected Software
Investing in Mutual Funds is now easy with the UTI MF (UTI Mutual Funds) App. It gives you a hassle-free experience to invest in any mutual fund scheme of your choice from anywhere, anytime with just a few clicks. The paperless transactions allow new investors to start a SIP or invest a lumpsum with ease.
Exploit
Input an incorrect username (one that don’t exist), the application will respond with an error message “we are unable to recognize the use user id entered” were as if the valid username is entered and invalid password is provided application responds with “the password entered is incorrect” which assist attacker to enumerate valid usernames
Proof Of Concept
First screenshot shows that user exist
Second screenshot shows that user does not exist
