Instruction: S-mobiili banking application (iOS).
The application can be found from App Store
https://apps.apple.com/fi/app/s-mobiili/id740514933?l=fi
Integrity requirements:
Max severity: critical
Asset identifier: fi.spankki
Asset type: GOOGLE_PLAY_APP_ID
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: S-mobiili banking application (Android).
The application can be found from Google Play https://play.google.com/store/apps/details?id=fi.spankki&hl=fi
Instruction: Services for S-Bank and S-group customers where customers can take S-bank basic banking services into use (later "digipa") and gain S-Group co-op membership (later "digili).
Basic banking services include opening an account and setting it as a benefit services account, applying for Visa Debit-card and opening and ordering net bank credentials that can be used as logging into S-bank netbank and using credentials to identify oneself in digital environments.
Digili and Digipa are different applications but they are built on top of same services. Difference Between Digili and Digipa is that in Digili user opens S-group co-op membership before opening basic banking services. In Digipa user can open banking services directly without the need to gain S-group co-op membership. In case user doesn’t have required co-op membership s/he is directed to Digili application.
If user has already co-op membership and s/he enters Digili, user will be forwarded to open banking services. In case user has some of the offered basic banking services in use, the step is skipped and user is shown a possibility to open the missing services.
Digili and Digipa applications can be entered through https://www.s-pankki.fi/fi/tule-asiakkaaksi/, https://www.s-kanava.fi/asiakaspalvelu/nain-liityt/ or taking S-mobiili into use as a non- S-group co-op member where user is directed automatically to Digili to gain S-group co-op membership that is a requirement to take S-mobiili into use.
In order to access Digili or Digipa user needs to be able to authenticate himself/hersef with Finnish banking credentials or through Mobiilivarmenne.
User need also to fulfill following requirements in order to be able to access the service:
- Needs to be 18 years of age
- Needs to have Finnish social security number
- Needs to have permanent street address in Finland
In case user is not a S-group co-op member there is a minimum of 20€ membership payment that needs to be made during the process.
Only vulnerabilities under domains https://digili.s-cloud.fi/ and https://api.digili.s-cloud.fi are eligible for bounty.
Integrity requirements:
Max severity: critical
Asset identifier: https://extranet.s-pankki.fi/
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: S-Bank portal where customers can take care of their S-Bank actions with other banks credentials.
Integrity requirements: high
Max severity: critical
Asset identifier: https://tunnistus.s-ryhma.fi
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: S-Group online identity (S-käyttäjätili, later "S-ID").
To get access to all asset's functionality, we prefer you create new S-ID account via S-Kaupat (https://www.s-kaupat.fi/) "Kirjaudu (Login) / Luo S-käyttäjätili (Create new account)". You can also access the account, or other test-accounts created, via S-Kaupat "Kirjaudu / Kirjaudu S-käyttäjätilillä".
S-ID service at https://tunnistus.s-ryhma.fi is available in Finnish, Swedish and English.
When you create S-ID accounts, please use info regarding HackerOne reference, for example: firstname.lastname+hackerone@email.com
To enable login via SMS OTP, you need to first verify the SMS number from "S-käyttäjätili" via S-Kaupat "Firstname / Oma profiili / Muokkaa tietojasi S-käyttäjätilillä". From this page under "Yhteystiedot" click "Vahvista puhelinnumero".
Notice that:
- SMS number verification requires recent-enough login/session.
- SMS number can only be "verified" state in one (1) account at a time.
You are allowed to access S-ID accounts that you have created for testing purposes, any other accounts are out-of-scope.
Notice that these "HackerOne" S-ID accounts will be automatically removed after a certain period of time. They are available for at least 3 months from date of creation.
Integrity requirements:
Max severity: critical
Asset identifier: https://www.prisma.fi
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: S-Group online consumer goods store.
You do not need to have an account but to get access to all asset's functionality we prefer you create Prisma/S-Käyttäjätili account via "Kirjaudu" / "Log in".
In case you create Prisma/S-Käyttäjätili account please use info regarding HackerOne reference for example "firstname.lastname+hackerone@email.com". Notice that these Prisma/S-Käyttäjätili "HackerOne" accounts will be automatically removed after 6 months.
Please use email address "firstname.lastname+hackerone@email.com" for order form and contact form.
Note: Real orders will be delivered and charged with the given information. Only domestic delivery (Finland).
Integrity requirements:
Max severity: critical
Asset identifier: https://www.s-kaupat.fi/
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: S-Group online grocery store.
You do not need to have an account but to get access to all asset's functionality we prefer you create S-Kaupat account via "Kirjaudu" / "Log in".
In case you create S-Kaupat account please use info regarding HackerOne reference for example "firstname.lastname+hackerone@email.com". Notice that these S-Kaupat "HackerOne" accounts will be automatically removed after 6 months.
If you create an grocery order please fill in "Älä kerää" / "Do not collect" info to field "lisätiedot kaupalle" and set the pickup date to minimum of five days from current date.
Instruction: S-Bank netbank which provides netbank functionalities (accounts, payments, cards, loans, investments etc) to private customers.
Notice that you should use your own netbank credentials or demo customer (ID: 12345678 PW: 123456) credentials.
Please ensure to place your @wearehackerone email into the User-Agent header when testing online.s-pankki.fi asset. Requests without this identification might be blocked.
