Hacker slams Danske Bank for al­leged se­cu­rity fail­ure

SP's MAI - - INTERNAL SECURITY | BREACHES -

Den­mark’s Danske Bank has been named and shamed by a white hat hacker for al­legedly leak­ing confidential cus­tomer data in the form of ses­sion cook­ies on its pub­lic web­site. IT con­sul­tant Sijmen Ruwhof says, he found the vul­ner­a­bil­ity within min­utes of ex­plor­ing the HTML code de­ployed on the bank’s log-in screen.

In a blog post ex­plain­ing the ex­ploit, Ruwhof says that each time he at­tempted to log in, the site would ran­domly spit out the IP ad­dress and stored cook­ies of an ac­tual Danske Bank cus­tomer.

“I’m shocked. I can’t be­lieve this. It’s so ob­vi­ous and in plain sight! How come that no­body at Danske Bank no­ticed this be­fore?” he writes. “If the cus­tomer from the data that we’re see­ing is logged in at the mo­ment, and if I copy those cook­ies and im­port them into my browser, then I’m also logged in as that cus­tomer. That’s how cook­ies work, and thus that’s how to iden­tify theft works.”

Ruwhof says he con­tacted Danske Bank to try to point out the flaw but failed to get be­yond the switch­board. In­stead he searched for the names of IT se­cu­rity staff on LinkedIn and posted his find­ings.

Within 24 hours the vul­ner­a­bil­ity was patched, but Ruwhof didn’t re­ceive a for­mal re­sponse from the bank un­til two weeks later, when it wrote: “Thank you for re­port­ing a po­ten­tial se­cu­rity vul­ner­a­bil­ity on our web­site. We in­ves­ti­gated your re­port im­me­di­ately. How­ever, the data you saw was not real cus­tomer ses­sions or data – just some de­bug in­for­ma­tion. Our de­vel­op­ers cor­rected this later that day.”

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.