A threat actor known as darkMods has posted details on a dark web forum claiming they discovered a critical logic flaw in the Attijariwafa Bank Android app, which allows multiple internal security protections to be bypassed. The vulnerability, which they describe as a 0day, reportedly enables an attacker to sidestep validation layers without traditional code injection or rooting.
According to the post, the flaw:
- Neutralizes internal security flows and renders input checks useless
- Undermines session integrity
- Ignores brute force or anti-bot protections, letting crafted inputs pass as if valid
The hacker states that this is purely a logic exploit; “no advanced injection, just broken trust logic” , making it stealthy, with no crashes or error logs, and potentially escalatable with deeper knowledge of the API.
The threat actor claims Attijariwafa Bank is unaware of this vulnerability, warning that the app is exposed and exploitable in production environments. They are offering this privately for sale in exchange for BTC.
This underscores how even well-established banks can harbor hidden design-level weaknesses, emphasizing the urgent need for rigorous threat modeling and independent security reviews.