Braza Bank Exposed: Critical Vulnerability Discovered

Cybernews researchers have uncovered a vulnerability in the system of Braza Bank, Brazil’s largest bank, which left its data exposed to cyberattacks. The team of experts discovered that a configuration file (.env), containing sensitive information vital for the operation of banking services, was accessible on the network. This file had been exposed for ten months, posing a significant risk to the security of both the bank and its customers.

The Braza Group, the financial conglomerate to which the bank belongs, also encompasses Braza UK in the United Kingdom, Braza PT in Portugal, Braza Tech, and the multi-currency account service CloudBreak. The exposed file could have granted malicious actors access to key bank systems, such as authentication services, cloud data storage, APIs, and notification services.

The file’s contents included confidential data like authentication keys, API access credentials, and email service configurations. This posed a threat to bank users, as attackers could gain unauthorized access to personal information, send phishing messages, and even manipulate authentication systems.

Cybernews experts underscored that such a leak could have resulted in severe consequences: attackers could have exploited the vulnerabilities to conduct attacks and access sensitive data. They also emphasized the importance of safeguarding configuration files to prevent similar incidents.

Upon discovering the vulnerability, the Cybernews team contacted Braza Bank, which promptly restricted access to the file. In an official statement, the bank asserted that the leak did not impact internal data, as the compromised keys were either outdated or lacked sufficient privileges to cause harm.

Braza Bank also stated that it has strengthened its cybersecurity measures and enhanced its internal processes to prevent such incidents in the future.