Potential Security Vulnerability in Paytm: Unauthorised Bank Account Linking [closed]
I've encountered what appears to be a significant security issue with Paytm, a popular payment platform, and I'm seeking insights on the potential implications and remediation strategies.
Issue Summary: Paytm's system seems to be automatically adding bank accounts to user profiles without user consent or validation. This has led to payments being misdirected to an unknown third party's bank account linked to the user's phone number.
Detailed Steps to Reproduce:
- User Registration: A user signs up for a Paytm account using their phone number.
- Accidental Bank Account Association: The same phone number is later linked to a different bank account (not owned by the user) due to either a bank error or an error by the individual who opened the bank account.
- Automatic Account Crawling by Paytm: Without the user's knowledge or consent, Paytm's system automatically detects this new bank account and associates it with the user's Paytm account.
- Misdirected Payments: Payments intended for the user are unknowingly deposited into this third party's bank account.
Response from Paytm's Security Team: I reported this issue to Paytm's Security Team, but they responded by stating that this does not fall under their definition of a security issue and advised contacting customer care or the bank involved.
Questions:
- Does this scenario qualify as a security vulnerability or flaw?
- What are the potential risks associated with this kind of issue, both for users and the platform?
- What steps should be taken to address and report such a vulnerability effectively?
Any insights or advice on this matter would be greatly appreciated.
Thank you.
Note: I have already contacted Paytm's Security Team and followed their suggested steps without a satisfactory resolution.
