24 October 2017
visit www.response.ncr.com

Hacker slams Danske Bank for alleged security failure

07 October 2015  |  9027 views  |  0 arrow on screen

Denmark's Danske Bank has been named and shamed by a white hat hacker for allegedly leaking confidential customer data in the form of session cookies on its public website.

IT consultant Sijmen Ruwhof says he found the vulnerability within minutes of exploring the HTML code deployed on the bank's login screen.

In a blog post explaining the exploit, Ruwhof says that each time he attempted to login, the site would randomly spit out the IP address and stored cookies of an actual Danske Bank customer.

"I’m shocked. I can’t believe this. It’s so obvious and in plain sight! How come that nobody at Danske Bank noticed this before?" he writes. "If the customer from the data that we’re seeing is logged in at the moment, and if I copy those cookies and import them into my browser, then I’m also logged in as that customer. That’s how cookies work, and thus that’s how identify theft works."

Ruwhof says he contacted Danske Bank to try to point out the flaw but failed to get beyond the switchboard. Instead he searched for the names of IT security staff on LinkedIn and posted his findings.

Within 24-hours the vulnerability was patched, but Ruwhof didn't receive a formal response from the bank until two weeks later, when it wrote: "Thank you for reporting a potential security vulnerability on our website. We investigated your report immediately. However, the data you saw was not real customer sessions or data - just some debug information. Our developers corrected this later that day."

Ruwhof is sceptical of the bank's claims. "Is it suggested that Danske Bank is using test customer data in their production environment? That would be against all safety guards and all best practices. And creating test cookie data in production in combination with an IP address and user agent? Never seen that one before. I’m not buying that."

He credits the bank for acting quickly to close the loophole, but concludes: "They closed the security hole quickly, but are now in denial of it."

Comments: (0)

Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Danske glitch wipes out Northern Bank, National Irish and Sampo ATMs

Danske glitch wipes out Northern Bank, National Irish and Sampo ATMs

10 April 2008  |  8973 views  |  0 comments

Related company news

 

Related blogs

Create a blog about this story (membership required)
visit www.niceactimize.comvisit www.innotribe.comvisit www.vasco.com

Top topics

Most viewed Most shared
Mastercard to roll out blockchain APIMastercard to roll out blockchain API
20782 views comments | 31 tweets | 44 linkedin
HSBC partners Bud for open banking trialHSBC partners Bud for open banking trial
15638 views comments | 24 tweets | 33 linkedin
Sibos 2017: API or the highwaySibos 2017: API or the highway
11232 views comments | 12 tweets | 23 linkedin

Featured job

Competitive base, commission, benefits
London, UK

Find your next job