Businesses that utilize Fiserv eBanking platforms should take note of an online banking information disclosure vulnerability that was made public.

Fiserv is a top provider for internet banking solutions for banks of various sizes. In a recent Brian Krebs article, it was verified that an information disclosure vulnerability was discovered by security researcher Kristian Erik Hermansen that allowed one e-banking customer to view certain details of other customers, effectively bypassing authentication. Here are some more details:

  • The eBanking platform allows a customer to set up email based alerts when new transactions are applied to their account and certain other conditions that are customizable (e.g., dollar thresholds).
  • This alerting process assigns the alert a specific event ID number within the web address. According to the analysis performed, these event numbers appeared to be sequential.
  • If a customer has an alert generated, the customer can modify the event ID within the sites’ code and obtain access to alert setup pages for other customers.
  • After gaining access to another customers’ alerts, you can view and edit the alerts, see the customers’ email address, phone number and full bank account number.

The above situation refers to a common type of secure coding issue known as Exposed Session Variables. This issue involves an attacker modifying session tokens to impersonate another individual to gain access to the details and gain the permissions of that individual. There are many times where it may seem that the session variables used in an application are random, but attackers are able to use special tools to try to guess the next variable and gain unauthorized access. The issue is associated with the OWASP Top 10 security issues (A3 – Broken Authentication and Session Management). Testing for these types of errors should be common practice for development shops, and it should also be a routine manual check in a web application penetration test. Checking for this type of vulnerability is part of Schneider Downs’ comprehensive web application penetration test.

Fiserv has researched the issue to determine that it stems from a messaging solution available to a subset of online banking clients.  Additionally, since then, the company has applied a hot fix to all Fiserv hosted platforms which modifies the alert to use randomly generated event ID strings as opposed to a sequential event ID.  Per Fiserv, the hotfix will be made available shortly to users who have local installations of the Fiserv eBanking platform.

IMMEDIATE ACTION:  We recommend that you verify that the hotfix has been applied to your environment by performing a test against an alert if possible

We can assist you with the next steps to take.


  • Independent penetration testing of your online banking environments should be performed to check for potential misconfigurations. This testing should occur at both the network and web-application level.
  • If the application is vendor-hosted, ensure that the vendor is hiring an independent party to perform penetration testing against their products and systems. Ensure that your contracts with your software hosting vendors allow you the ability to review the results of these types of tests with your vendors in more detail. Our cybersecurity experts can guide you through this process.
  • Ensure that your vendors maintain secure coding practices; and ensure that they validate that the releases do not contain vulnerabilities. Similarly, our cybersecurity experts and IT auditors can help assess your vendor’s coding practices.

Contact Schneider Downs’ cybersecurity advisory team for assistance or clarification on how to achieve these security steps.

For more information, please refer to the following sources:

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2022 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Shared Assessment SIG Questionnaire – What’s New for 2023?
Buyer Beware: Five Common Holiday Scams of 2022
New Phishing Scam Targets Verified Twitter Accounts
Cybersecurity Awareness Month is Over… Now What?
The Latest on the CommonSpirit Health Ransomware Attack
Former Uber CSO Joe Sullivan Found Guilty of Obstruction of Justice and Misprision
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.