
HSBC Mobile App – Authentication Flaw - valkyrieuk
I discovered a flaw in the UK HSBC Mobile banking app.<p>Essentially the flaw consisted of being able to authenticate through the mobile app using characters that are not in your password (i.e the wrong password).<p>I raised this withe HSBC via twitter and this was the response.<p>&quot;Hi ValkyrieUK, my name&#x27;s Claire and I&#x27;m from the Digital Complaint&#x27;s Team. Thanks for getting in touch about the concerns you have with our app. We&#x27;re aware customer&#x27;s can enter additional characters on to their password and it will be accepted as a successful log on. We don&#x27;t classify this as a security risk, as your password must still be entered correctly for it to be accepted. I&#x27;ll certainly record your feedback about this matter though and would like to apologise for any concern caused. Kind regards, Claire&quot;<p>How can this be correct? They clearly are not following a well proven authentication standard, possibly some kind of REGEX involved.
======
mjoxley
Confirms they are not salting passwords and probably storing them in plain
text. I think the app doesnt allow special charactors in passwords either.
They really should be called out over this "security".

------
valkyrieuk
Related tweet -
[https://twitter.com/BradleyAllen512/status/10735448523637145...](https://twitter.com/BradleyAllen512/status/1073544852363714561)

