The Talkative Chatbot in the Banking Sector

A bank with operations across multiple African countries asked us to run pentests across all their web apps, mobile apps, internal networks and public-facing infrastructure – a big chunk of work exceeding a thousand hours of testing. 

By far, the most interesting and impactful discovery came from an unexpected quarter: a chatbot on the bank’s customer-facing site. The bot had debug mode enabled in its source code. As such, it gave verbose responses intended for developers to monitor functionality, and among these was a set of credentials. 

As we were testing the client’s broader infrastructure, our team came across another location requiring authentication. Using the details from the chatbot, we gained access and found storage buckets containing sensitive customer data. A serious compliance issue, but fortunately, one with a clear fix. 

Here’s to thoroughness.

Let Mobius Binary determine whether your application, system, or network is clearly secure or not.

Contact us