Misco Cookie Policy
We use cookies to give you the best possible experience on our website. To find out more, view our cookie policy. By closing this message and continued use of our website means that you give your consent to our use of cookies.
Continue

White hat hacker warns Danske Bank over website flaw that could have led to customer ID theft


White hat hacker warns Danske Bank over website flaw that could have led to customer ID theft
12th October 2015

by Shannon Greenhalgh

An IT consultant has criticised Denmark's Danske Bank for alleged security failings, reports Finextra.

White hat hacker Sijmen Ruwhof has accused the bank of leaking confidential customer data on its website in the form of session cookies – potentially leaving customers at risk of identity theft.

Ruwhof explained on a blog post: each time he attempted to login, the bank's website randomly spat out the IP address and stored cookies of an actual Danske Bank customer.

He wrote: "I'm shocked. I can't believe this. It's so obvious and in plain sight! How come that nobody at Danske Bank noticed this before?

"If the customer from the data that we're seeing is logged in at the moment, and if I copy those cookies and import them into my browser, then I'm also logged in as that customer. That's how cookies work, and thus that's how identify theft works."

The IT specialist contacted the bank but was unable to reach its IT security staff, he said. However, 24 hours after posting his findings to the staff via Linkedin, the vulnerability was patched.

Ruwhof received a formal response from the bank some two weeks later, which read: "Thank you for reporting a potential security vulnerability on our website. We investigated your report immediately. However, the data you saw was not real customer sessions or data - just some debug information. Our developers corrected this later that day."

But this is an unlikely scenario, claims the hacker. "I'm not buying that," he said, explaining that testing customer data in a production environment would be "against all safety guards and all best practices."

"They closed the security hole quickly, but are now in denial of it," he argued.

Share:

Join our mailing list

IT News Archive