A critical security vulnerability has been discovered in the State Bank of India’s YONO mobile banking application, potentially exposing millions of users to sophisticated cyber attacks.
The vulnerability, officially designated as CVE-2025-45080, affects version 1.23.36 of the YONO SBI: Banking & Lifestyle app and has been classified under the National Vulnerability Database with significant security implications for users’ financial data.
The vulnerability stems from a fundamental security misconfiguration within the application’s architecture.
Security researcher H4cKr1337, who disclosed the findings on June 29, 2025, identified that the YONO SBI app explicitly enables cleartext network traffic through the Android manifest setting android:usesCleartextTraffic="true".
This configuration allows the application to transmit sensitive banking information over unencrypted HTTP connections, directly contradicting modern security standards.
The technical analysis reveals that this setting overrides Android’s default security protections.
For applications targeting API level 28 (Android 9) or higher, Google has mandated that cleartext traffic should be disabled by default to prevent exactly this type of vulnerability.
The presence of this configuration in a banking application represents a significant departure from industry best practices and regulatory security requirements.
The researcher’s proof-of-concept demonstration involved decompiling the application’s APK file using standard reverse engineering tools and examining the AndroidManifest.xml file.
Network traffic analysis using professional security tools like Burp Suite and Wireshark confirmed the presence of unencrypted HTTP communications during normal application operations.
YONO SBI App Vulnerability
The vulnerability creates multiple attack vectors that malicious actors can exploit to compromise user accounts and financial transactions.
Man-in-the-middle attacks become particularly feasible when users connect to public Wi-Fi networks or compromised internet infrastructure.
Attackers positioned between the user’s device and SBI’s servers can intercept, read, and potentially modify all communications without detection.
The security implications extend beyond simple data interception. Attackers can leverage this vulnerability to perform session hijacking, credential harvesting, and transaction manipulation.
The unencrypted nature of the communications means that sensitive information including login credentials, account balances, transaction details, and personal identification data could be exposed to unauthorized parties.
The vulnerability has been categorized under CWE-319 (Cleartext Transmission of Sensitive Information), emphasizing the fundamental nature of the security flaw.
Given that YONO SBI serves as the primary digital banking platform for one of India’s largest banks, the potential impact affects millions of users across the country.
The disclosure of CVE-2025-45080 underscores the critical importance of rigorous security testing in financial applications and highlights the ongoing challenges banks face in maintaining secure digital banking platforms in an increasingly complex threat landscape.
User Protection
Banking security experts recommend that YONO SBI users immediately update their applications once a patched version becomes available.
Users should avoid conducting banking transactions over public or unsecured Wi-Fi networks until the vulnerability is resolved.
Additionally, customers should monitor their accounts closely for any unauthorized activities and report suspicious transactions immediately.
SBI’s cybersecurity team must prioritize releasing an emergency patch that disables cleartext traffic and enforces encrypted HTTPS communications for all network operations.
The fix should include implementing certificate pinning and additional transport layer security measures to prevent similar vulnerabilities in future releases.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
