Denmark’s Danske Bank has been named and shamed by a white hat hacker for allegedly leaking confidential customer data in the form of session cookies on its public website.
IT consultant Sijmen Ruwhof says he found the vulnerability within minutes of exploring the HTML code deployed on the bank’s login screen.
In a blog post explaining the exploit, Ruwhof says that each time he attempted to login, the site would randomly spit out the IP address and stored cookies of an actual Danske Bank customer.
“I’m shocked. I can’t believe this. It’s so obvious and in plain sight! How come that nobody at Danske Bank noticed this before?” he writes. “If the customer from the data that we’re seeing is logged in at the moment, and if I copy those cookies and import them into my browser, then I’m also logged in as that customer. That’s how cookies work, and thus that’s how identify theft works.”
Ruwhof says he contacted Danske Bank to try to point out the flaw but failed to get beyond the switchboard. Instead he searched for the names of IT security staff on LinkedIn and posted his findings.
Within 24-hours the vulnerability was patched, but Ruwhof didn’t receive a formal response from the bank until two weeks later, when it wrote: “Thank you for reporting a potential security vulnerability on our website. We investigated your report immediately. However, the data you saw was not real customer sessions or data – just some debug information. Our developers corrected this later that day.”
Ruwhof is sceptical of the bank’s claims. “Is it suggested that Danske Bank is using test customer data in their production environment? That would be against all safety guards and all best practices. And creating test cookie data in production in combination with an IP address and user agent? Never seen that one before. I’m not buying that.”
He credits the bank for acting quickly to close the loophole, but concludes: “They closed the security hole quickly, but are now in denial of it.”