Incorrect configuration of the Telescope tool for the PHP framework Laravel can lead to a dangerous security hole. Golem.de reader Jeremias Wolff found a vulnerable configuration on a bank’s website and pointed this out to us. After doing some research, we found that the vulnerability was real, but the bank wasn’t. Other websites are also affected by the problem.
Telescope is a debugging tool that can be used, for example, to analyze HTTP requests in detail that are processed by a Laravel application. This telescope interface was available to everyone without protection on the GDI-Bank website. Telescope also reveals request variables and cookies. In other words: If you can access the Telescope interface, you will probably also find passwords for users and session cookies there – enough information to get access to users’ accounts from an online bank.
Bank not reachable, numerous dead links
As is usual in such cases, we first tried to alert the bank to the problem. Because before we report the vulnerability, of course, we wanted to make sure that the bank had the opportunity to fix the problem and protect its customers. However, contact with the GDI bank was difficult – and after some time made us doubt whether it actually existed.
There was a link on the website that promised contact information for press representatives. But nothing happened when you clicked on the link. Links to social media profiles and many other links on the website were also broken.
The only online contact option we found was an email address for support inquiries. We sent our request there. In response, we received an error message after a few seconds. The alleged support email address did not exist.
The GDI bank apparently did not have an address either. The information about dollar amounts on the website made us suspect that it is probably a US bank. In addition to banking, we found references to the Tenso Network. It is – supposedly – a cryptocurrency. But we also found little information about the Tenso Coin.