A critical security flaw has been discovered in the widely used YONO SBI: Banking & Lifestyle app, potentially exposing millions of users to man-in-the-middle (MITM) attacks and putting sensitive financial data at risk.
The vulnerability, catalogued as CVE-2025-45080, affects version 1.23.36 of the app, which is developed by the State Bank of India (SBI) and serves as a digital banking platform for one of the world’s largest user bases.
| Field | Details |
|---|---|
| CVE ID | CVE-2025-45080 |
| App Version | 1.23.36 |
| App Package | com.sbi.lotusintouch |
| Issue | Insecure cleartext traffic enabled |
| CVSS Severity | High (CVSS 3.x Base Score: 8.8) |
Nature of the Vulnerability
Security researcher Ishwar Kumar identified that the YONO SBI app is configured to allow cleartext network traffic, as indicated by the android:usesCleartextTraffic=”true” setting in the app’s manifest file.
This configuration permits the transmission of unencrypted data over HTTP, rather than the secure HTTPS protocol.
For Android apps targeting API level 28 (Android 9) or higher, the default is to block cleartext traffic to prevent such risks.
However, in this version of YONO SBI, the setting remains enabled, creating a significant security gap.
Potential Risks and Attack Scenarios
The implications of this vulnerability are severe:
- Eavesdropping: Unencrypted data, including user credentials and transaction details, can be intercepted by attackers on the same network.
- Tampering: Malicious actors can modify data packets in transit, potentially altering transaction details or injecting harmful content.
- Man-in-the-Middle Attacks: Users may unknowingly connect to rogue servers, allowing attackers to impersonate the bank and harvest sensitive information.
The vulnerability has been rated as critical, reflecting the ease of exploitation and the high impact on confidentiality, integrity, and availability.
Researcher detailed the steps to reproduce the vulnerability:
- Decompiling the APK with tools like APKTool reveals the insecure setting in the AndroidManifest.xml.
- Network analysis using tools such as Burp Suite or Wireshark confirms the presence of unencrypted HTTP traffic.
A proof-of-concept has been published, demonstrating the risk in a real-world scenario.
This vulnerability places user credentials, financial transactions, and personal data at significant risk, especially for users accessing the app over public or unsecured Wi-Fi networks.
As of July 2, 2025, there is no public statement from SBI regarding a patch or mitigation steps for affected users.
Recommendations for Users
Until an official fix is released, users are strongly advised to:
- Avoid using public Wi-Fi when accessing the YONO SBI app.
- Monitor accounts for unusual activity.
- Update the app immediately once a security patch becomes available.
Security experts emphasize the urgency for SBI to address this issue to protect its vast user base from potential exploitation.
Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free
