An IT consultant has criticised Denmark's Danske Bank for alleged security failings, reports Finextra.
White hat hacker Sijmen Ruwhof has accused the bank of leaking confidential customer data on its website in the form of session cookies – potentially leaving customers at risk of identity theft.
Ruwhof explained on a blog post: each time he attempted to login, the bank's website randomly spat out the IP address and stored cookies of an actual Danske Bank customer.
He wrote: "I'm shocked. I can't believe this. It's so obvious and in plain sight! How come that nobody at Danske Bank noticed this before?
"If the customer from the data that we're seeing is logged in at the moment, and if I copy those cookies and import them into my browser, then I'm also logged in as that customer. That's how cookies work, and thus that's how identify theft works."
The IT specialist contacted the bank but was unable to reach its IT security staff, he said. However, 24 hours after posting his findings to the staff via Linkedin, the vulnerability was patched.
Ruwhof received a formal response from the bank some two weeks later, which read: "Thank you for reporting a potential security vulnerability on our website. We investigated your report immediately. However, the data you saw was not real customer sessions or data - just some debug information. Our developers corrected this later that day."
But this is an unlikely scenario, claims the hacker. "I'm not buying that," he said, explaining that testing customer data in a production environment would be "against all safety guards and all best practices."
"They closed the security hole quickly, but are now in denial of it," he argued.
© Copyright 2017, Misco UK Limited, registered in Scotland,
Registered office address: Caledonian Exchange, 19a Canning Street, Edinburgh, EH3 8HE.
Registered number: SC114143.
VAT number: 494175615.
MISCO is a registered trademark of HUK 78 LIMITED. All others trademarks and copyrights mentioned herein are the property of their respective owners.
All prices mentioned (pounds) exclude postage and packaging. All orders comply to Misco terms and conditions.