Hacker slams Danske Bank for alleged security failure
Denmark’s Danske Bank has been named and shamed by a white hat hacker for allegedly leaking confidential customer data in the form of session cookies on its public website. IT consultant Sijmen Ruwhof says, he found the vulnerability within minutes of exploring the HTML code deployed on the bank’s log-in screen.
In a blog post explaining the exploit, Ruwhof says that each time he attempted to log in, the site would randomly spit out the IP address and stored cookies of an actual Danske Bank customer.
“I’m shocked. I can’t believe this. It’s so obvious and in plain sight! How come that nobody at Danske Bank noticed this before?” he writes. “If the customer from the data that we’re seeing is logged in at the moment, and if I copy those cookies and import them into my browser, then I’m also logged in as that customer. That’s how cookies work, and thus that’s how to identify theft works.”
Ruwhof says he contacted Danske Bank to try to point out the flaw but failed to get beyond the switchboard. Instead he searched for the names of IT security staff on LinkedIn and posted his findings.
Within 24 hours the vulnerability was patched, but Ruwhof didn’t receive a formal response from the bank until two weeks later, when it wrote: “Thank you for reporting a potential security vulnerability on our website. We investigated your report immediately. However, the data you saw was not real customer sessions or data – just some debug information. Our developers corrected this later that day.”