DELTA OBSCURA

We are the team behind Mission Vector Zero, an ongoing cybersecurity mission that has already protected 2.5+ billion users globally.

Our Partners
Our Services

RBC Mobile Banking App - Improper Input Validation in Mobile Remote Deposit Capture

By 0xhamy 07:20 AM - February 17th 2026
Type software
Product Environment web
Product Name RBC Mobile Banking App
Product Vendor Royal Bank Canada
Product Version Unknown
Product Link https://play.google.com/store/apps/details?id=com.rbc.mobile.android&hl=en
Vulnerability Name Improper Input Validation in Mobile Remote Deposit Capture
Severity High
CVSS String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CVSS Score 7.1
CVE ID -
Vendor Acknowledgement Yes
Affected digital Assets
1
Affected Users
17000000
Date of Reporting Jan 18, 2025
PoC Exploit -
Credit 0xhamy

Description

RBC Mobile Banking Application (Android) is vulnerable to a business logic flaw allowing cheque amount manipulation during the Deposit a Cheque workflow.

The mobile remote deposit capture (RDC) feature allows users to scan the front and back of a cheque and manually enter the cheque amount. The backend processes the deposit based on the user-supplied amount without properly validating it against:

  • The amount written on the cheque image
  • The encoded MICR line data
  • Clearing/issuer-side verification before crediting funds

Because the application trusts client-supplied input for a financial value, attackers can submit a higher amount than the actual cheque value. The manipulated amount is processed and credited, resulting in unauthorized financial gain.

This constitutes improper server-side validation and parameter manipulation in a financial transaction workflow.

Vulnerability Details

Authenticated users can:

  • Use the Deposit a Cheque feature
  • Scan a valid cheque
  • Manually enter an amount higher than the real cheque value
  • Submit the transaction successfully

The backend does not properly cross-verify the entered amount with the cheque’s actual value before crediting the account.

In testing:

  • A CRA-issued cheque for $239.76
  • Was successfully deposited as $240.00
  • The inflated amount was processed

Even small discrepancies demonstrate that:

  • The amount field is client-controlled
  • The backend does not enforce strict validation
  • Financial transaction integrity can be altered

If exploitable at scale, this may allow:

  • Repeated small-value inflation
  • Larger cheque inflation attempts
  • Systemic financial abuse
  • Regulatory and compliance risk

Steps to Reproduce

  1. Obtain a valid cheque that has not been deposited.

  2. Open the RBC Mobile App (Android).

  3. Navigate to:

    Deposit a Cheque

  4. Scan the front and back of the cheque as instructed.

  5. When prompted to enter the cheque amount, input a value slightly higher than the real amount written on the cheque.

    Example:

    • Actual cheque value: 239.76
    • Entered value: 240.00

  6. Submit the deposit.

  7. Observe that:

    • The transaction is accepted
    • The higher amount is credited to the account

Example transaction description:

Mobile cheque deposit - 1818 on chequing account XXXXX

Impact

  • Direct financial integrity violation
  • Unauthorized monetary gain
  • Potential large-scale fraud vector
  • Reputational and regulatory exposure
  • Abuse possible by any authenticated user

Recommendation

  • Enforce strict server-side validation of cheque amounts before crediting funds.

  • Cross-verify entered amount against:

    • OCR-extracted cheque value
    • MICR-encoded data
    • Clearing-house verification responses

  • Do not rely on client-supplied financial values.

  • Implement backend reconciliation before making funds available.

  • Add fraud detection for mismatched cheque/image amount discrepancies.

  • Consider delayed credit until issuer-side validation completes.

How we calculate affected digital assets

Methodology

Digital assets affected by a piece of software or hardware can include installations and real-world usage of that product across servers, websites, IoT devices, and other connected systems.

Data sources we use

  • For many web technologies, we use BuiltWith to estimate how many websites currently use a given product. Example: Vvveb usage statistics on BuiltWith .
  • For products that include telemetry or licensing beacons, we may rely on vendor-reported deployment figures to estimate the number of active installations.

Example: a vendor might share that their firewall product is deployed across a certain number of customer networks or appliances (similar to how a vendor such as NetSweeper reports its deployment footprint). We use those deployment counts as a proxy for affected digital assets.

How we estimate affected users

Estimation

The affected users value is an estimate of how many people are likely exposed to the vulnerability through the impacted assets.

Inputs we consider

  • Vendor data: when available, we use user or deployment counts provided by the vendor (for example, via telemetry, analytics, or licensing systems).
  • Asset-based estimate: when vendor data is not available, we use a conservative baseline of 100 users per asset and multiply it by the number of affected assets.

Example calculation

Suppose a vulnerability affects:

  • 20 IoT devices
  • 40 servers
  • 40 websites

Total affected assets: 20 + 40 + 40 = 100
Using our conservative baseline of 100 users per asset:

Estimated affected users: 100 assets × 100 users = 10,000 users

This approach intentionally aims to be conservative; it gives us a consistent way to compare impact across vulnerabilities and understand the approximate number of users we help protect.