Banner object (1)

Hack and Take the Cash !

800 bounties in database
  Back Link to program      
28/06/2019
Personal Capital logo
Thanks
Gift
Hall of Fame
Reward

Reward

150 $ 

In Scope

Scope Type Scope Name
web_application https://devstaging.pcapcloud.com/*

Personal Capital

Here at Personal Capital, we believe in the power of technology to change the financial industry, making it more accessible, affordable, and honest. And we believe in the power of people to change the nature of investment advice, making it more transparent, objective, and personal. We are building a better money management experience for everyone with technology.

Your mission, researcher, should you choose to accept it is to help to ensure that our front end web application stack and back-end API endpoints are tough as nails. Nobody wants their favorite money management app to leak sensitive data out.

The Personal Capital web application is an HTML5 web app using single-page design and using Backbone, React and Angular for rendering web content. The application calls our backend RESTful APIs, written in Java with Spring MVC and JPA. We use RDBMS for persistent storage. You are welcome to stalk our engineering blog for further insights. While we are not providing researchers with the full list of all of our APIs, we do want to help researchers out. If you think you are onto something but just need a bit more information on a specific API, let us know!


Ratings/Rewards

For the initial prioritization/rating of findings, this Bug Bounty Program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher along with the opportunity to appeal and make a case for a higher priority. Please see below for deviations.

Reward Range

Last updated 14 Jun 2019 20:41:37 UTC

Technical severity | Reward range
---|---
p1 Critical | Starting at: $3,000
p2 Severe | Starting at: $1,200
p3 Moderate | Starting at: $550
p4 Low | Starting at: $150

P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name | Type
---|---
<https://devstaging.pcapcloud.com/*> | Website

Target Details

In scope

  • https://devstaging.pcapcloud.com/* (web client and server-side APIs)
  • Direct calls to the APIs (URIs /api/*), outside of webpage are in scope (e.g.: postman, etc.)

Personal Capital Cash Testing

Our newest offering is called Personal Capital Cash. To get to this feature, navigate to the “Banking” tab in your Personal Capital Dashboard and then select “Open an Account”. Please see the 'Credentials and Access' area below on access to the flow to start your testing.

Out of scope

  • *.personalcapital.com
  • Third-party systems not directly under Personal Capital’s control (e.g.: yodlee, financial institutions, aws-layer attacks)
  • AWS Vulnerabilities or security issues that are not Personal Capital's responsibility under AWS's shared responsibility model
  • Mobile applications (We are not looking at the mobile platforms at this time given they leverage the same APIs)
  • Social engineering of Personal Capital personnel

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Personal Capital not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@bugcrowd.com before submitting.

Please also note that we will have a testing blackout Thursdays between 12:00 pm and 4:00 pm Pacific Time when we refresh the environment.

Credentials and Access

Things that will help you play with things:

Key URLs:

Registration - https://devstaging.pcapcloud.com/page/login/registerUser
Login Page - https://devstaging.pcapcloud.com/page/login/goHome

Credentials:

  • Anyone is free to create their own accounts on our platform through the registration page we ask that you use your @bugcrowdninja.com email for this purpose.
  • Many authentication scenarios will require you to submit through MFA. You are welcome to use either your personal phone or procure a VOIP number for this purpose.
  • You may be able to use email as “MFA” after registration, this feature is phasing out so don’t get used to it.

Personal Capital Cash:

Below are some fake test identities that should allow you to progress through the account opening flow to test for vulnerabilities.

A couple notes on making it through the flow:
On the page that asks for “State ID Number”, please generate a random number (if the same number is used by two testers, it will lock the enrollment flow for the user)
On the Identity Verification Questions, only select the last answer (this will usually be the “none of the above” answer

First Name & Middle Initial | Last Name | SSN | DOB | Home Phone | Address
---|---|---|---|---|---
Lawrence J. | Aber | 666661234 | 5/1/1978 | 8645824068 | 8101 W Flamingo Rd Las Vegas NV 89147
Janet A. | Busch | 666822043 | 7/5/1975 | 3129850020 | 4227 N 27th Av #3017 Phoenix AZ 85017
Aziz | Abdullah | 666822882 | 1/1/1951 | 3129850099 | 1001 Riverland Woods Charleston SC 29412
Kim | Statesman | 666121819 | 10/1/1981 | 8885550001 | 677 Integon Clinton SC 29325
Jose | Alvarez | 666101110 | 10/1/1981 | 3129850022 | 117 Hamilton Rd Sterling VA 20165
Jessica | Leete | 666224124 | 11/1/1942 | 3129850024 | 10813 Eagle Nest Rd Ocean Springs MS 39564
Mike WA. | Mechanicsburg | 666010236 | 10/1/1981 | 3129850026 | 3855 75th Rd Kirkland WA 98034
Ernie | McCracken | 666105556 | 3/1/1988 | 3129850020 | 300 Davidson Rd #4E Somerset NJ 08873
Robert | Cagle | 666783615 | 2/24/1986 | 3129850030 | 1700 W Warlow Dr #202 Gillette WY 82716


Focus Areas

  • Server-side APIs are the number one focus area for this program
  • Subverting user authentication completely or partly (e.g.: including MFA)
  • Any SQL-type, stored cross-user XSS or XML/JSON type injection attacks
  • User information PII or financial information disclosure
  • Watering holes

Break these Toys Challenges:

We're introducing to the program this new section with things we suspect may yield results for our researcher friends but have not been able to apply research cycle from our internal team on yet. Something doesn't quite feel right to us but we can't quite put our finger on it. May contain low hanging fruits!

Black box testing indicates potential SQL Injection on following page's

searchString parameter

Interesting APIs

Things you may enjoy playing with (lead with /api/):

  • credential/authenticateEmailByCode
  • credential/authenticateEmailByUrl
  • credential/authenticatePassword
  • credential/authenticatePhone
  • credential/authenticatePin
  • credential/authenticateSms
  • credential/authenticateSsn
  • credential/authenticateUserSiteKnowledge
  • credential/challengeEmail
  • credential/challengePhone
  • credential/challengeSms
  • credential/challengeUserSiteKnowledge
  • credential/getRegisteredCredentials
  • credential/identifyAndAuthenticatePassword
  • credential/identifyAndAuthenticatePin
  • credential/registerCredentials
  • credential/resetPassword
  • credential/resetPin
  • credential/suggestDeviceName
  • feedback/logMarketingEvent
  • filecabinet/getEdocuments
  • fileUpload/getTradeReasonFileBytes
  • fileUpload/getTradeReasonFileDataEntries
  • fileUpload/getTradeReasonFileUploadHistories
  • login/identifyUser
  • login/keepalive
  • login/logoff
  • login/querySession
  • login/softLogout
  • login/suggestFriend
  • login/switchUser
  • login/validateSession
  • registration/registerUser
  • enrollment/getEnrollments
  • enrollment/startEnrollmentCorrection
  • enrollment/submitEnrollment
  • pcbenrollment/createEnrollment
  • pcbenrollment/getEnrollment
  • pcbenrollment/getEnrollments
  • pcbenrollment/updateEnrollment
  • pcbenrollment/submitEnrollment
  • pcbtransfer/create
  • pcbaccount/getAccountStateForTransfer
  • pcbenrollment/verifyIdentity
  • pcbaccount/getAccountStateForTransfer
  • pcbmicrodeposit/initiate
  • pcbmicrodeposit/verify
  • pcbtransfer/create

Financial Institution Aggregation

To fully test the dashboard and many of the interfaces available in our platform you will need financial institutions accounts linked. For this purpose, this environment makes available a test institution. Link it as follows:

  1. Click on “link account” and locate “Dag Site”
  2. Under “Catalog” enter ID pcap.site16441.3
  3. Under “Password” enter Password site16441.3
  4. Click “I’m done linking accounts”
  5. Feel free to also link your own personal accounts should you so desire :)

Known Issues

The following are either known issues we don't want to fix or already known and pending.

  • User enumeration from login page - That's a design decision.
  • No DMARC on the devstaging domain - This domain isn’t used for mail as such this is a non-issue
  • DMARC still not completed on personalcapital.com - We’re aware of this. Stay tuned!
  • Session invalidation on Password Reset & Change - We're aware of this.
  • Content Security Policy / Clickjacking - We’re aware of this.

Exclusions

Things you shouldn’t play with:

  • Any denial of service type attacks (either network, resource exhaustion or anything else)
  • User and email enumeration - we are aware and allow this intentionally. There are some throttling triggers to manage this risk so no need to lock yourself out
  • Disclosure of known public files and other information disclosures that are not a material risk (e.g.: robots.txt)
  • Any attack or vulnerability that hinges on a user’s computer being first compromised

If you find a vulnerability, do not test on our live systems (out of scope as per above) to demonstrate it. The researcher's environment is an exact replica, demonstrating in this environment is sufficient.


VRT Deviations

Please see below for deviations from the standard VRT.

PRIORITY ▼ | BUGCROWD CATEGORIES | SPECIFIC VULNERABILITY NAME | VARIANT OR AFFECTED FUNCTION | DEVIATION
---|---|---|---|---
P1 | Server Security Misconfiguration | Using Default Credentials | Production Server | P5
P2 | Server Security Misconfiguration | Misconfigured DNS | Subdomain Takeover | P5
P3 | Server Security Misconfiguration | Mail Server Misconfiguration | Missing SPF on Email Domain | P5
P3 | Server Security Misconfiguration | Mail Server Misconfiguration | Email Spoofable Via Third-Party API Misconfiguration | P5
P3 | Sensitive Data Exposure | EXIF Geolocation Data Not Stripped From Uploaded Images | Automatic User Enumeration | P5
P3 | Application-Level Denial-of-Service (DoS) | High Impact and/or Medium Difficulty | | P5
P3 | Insufficient Security Configurability | Weak Password Policy | Complexity, Both Length and Char Type Not Enforced | P5
P4 | Server Security Misconfiguration | No Rate Limiting on Form | Registration | P5
P4 | Server Security Misconfiguration | No Rate Limiting on Form | Email- Triggering | P5
P4 | Server Security Misconfiguration | Missing Secure or HTTP Only Cookie Flag | Session Token | P5
P4 | Sensitive Data Exposure | EXIF Geolocation Data Not Stripped From Uploaded Images | Manual User Enumeration | P5
P4 | Missing Function Level Access Control | Username Enumeration | Data Leak | P5
P4 | Insufficient Security Configurability | Weak Password Policy | Complexity, Char Type Not Enforced | P5
P4 | Insecure Data Storage | Credentials Stored Unencrypted | On External Storage | P5
P4 | Insecure Data Storage | Sensitive Application Data Stored Unencrypted | On External Storage | P5
P4 | Privacy Concerns | Unnecessary Data Collection | WiFi SSID+Password | P5


Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via support@bugcrowd.com before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

FireBounty © 2015-2019

Legal notices