According to research carried out by a team at the University of Birmingham, the flaw allowed an attacker, who is connected to the same network as the victim (eg, public Wi-Fi or corporate), to perform a Man in the Middle Attack and retrieve the user's credentials such as username and password/pin code.
The researchers presented their findings in a paper, summarising the certificate pinning issue: “By proxying TLS connections with a trusted certificate for an unrelated hostname, one cannot distinguish whether the app rejects the connection because the hostname is invalid, or because a chain of trust cannot be established due to pinning being in use. While pinning to the server public key would be secure, to test for apps that pinned to higher up the certificate chain, we obtained a free Comodo certificate for our own hostname and found that this certificate was accepted by apps from Natwest and Co-op bank, meaning that these apps could be MITMed and were not secure…”
The researchers worked with the UK's National Cyber Security Centre (NCSC) to liaise with affected institutions, and the vulnerability has now been patched by the banks.