Brazil’s largest forex bank vulnerable to attack


Braza Bank left its systems vulnerable to cyberattacks and accounts takeover, Cybernews research shows.

On July 21st, 2024, the Cybernews research team discovered a vulnerability in the systems of Braza Bank, the largest Brazilian foreign exchange bank.

The bank is part of the Braza Group, a fintech conglomerate that also operates Braza UK, an e-money institution based in England, Braza PT in Portugal, the tech firm Braza Tech, and CloudBreak, a multicurrency account service.

ADVERTISEMENT

Researchers discovered a publicly exposed environment configuration file (.env) belonging to the bank. The file contains sensitive information that could aid threat actors in launching an attack against the institution.

An environment file is a text file that stores sensitive information that the system needs to run, such as passwords, API keys, or database details. Protecting access to .env files is a good security practice, as they can become a goldmine for threat actors.

Unfortunately, that was not the case for Braza Bank, as the file was left accessible to anyone on the internet. The researchers' observations reveal that the environment file was exposed for ten months.

Vulnerable services include:

  • Email and Communication Services
  • API and Backend Services
  • Push Notification Services
  • Cloud Storage and Data Access
  • Authentication and Authorization Services
braza bank env
Leaked environment file. Source: Cybernews

Threat to bank users and infrastructure

With leaked credentials in hand, malicious actors could exploit the bank’s systems to gain unauthorized access to sensitive customer information, disrupt services, and potentially cause data breaches.

ADVERTISEMENT

Attackers could also exploit email and notification systems for phishing or spamming, manipulate authentication processes to impersonate users, or access sensitive data stored in storage buckets.

What sensitive data was leaked:

  • AWS Cognito authentication service: Client ID, Client Secret, and User Pool ID
  • OneSignal push notification: App ID and Key
  • PEAR Mail configuration: SMTP host, email address, and password
  • Single Sign-On (SSO) configuration: the authorization endpoint, Client ID, response type, and scope.
  • AWS S3 storage bucket: Region and name of the bucket
  • API endpoint details
  • Miscellaneous configuration details: Flags for authentication bypass, profile codes, authentication log key.

“Exposure of an environment file poses serious security risks in several critical areas. It could potentially impact authentication and authorization services, as well as email and communication systems. On top of that, the compromised API, backend services, and cloud storage might allow unauthorized access to sensitive data,” the Cybernews research team explained.

“The leaked information could let attackers take advantage of system vulnerabilities. That’s why it is important to always secure configuration files to prevent data breaches and unauthorized access,” they added.

Such a leak would not only damage the bank's reputation and erode customer trust, but also put users at serious financial and personal risk.

Cybernews contacted Braza Bank, which promptly secured access to the environment file. In an official statement, the company said that its internal data was not affected. It claims to have investigated the exposed credentials and identified that they were “already deprecated or not privileged enough to cause any harm.”

“We added new cybersecurity controls and improved our internal processes to support us in mitigating this type of situation,” a spokesperson told Cybernews.

ADVERTISEMENT