Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security The Almighty Buck

Danish Bank Leaves Server In Debug Mode, Exposes Sensitive Data In JS Comments 41

An anonymous reader writes: Dutch IT security expert Sijmen Ruwhof has found a pretty big blunder on the part of Danske Bank, Denmark's biggest bank, which exposed sensitive user session information in the form of an encoded data dump, in their banking portal's JavaScript files. The data contained client IP addresses, user agent strings, cookie information, details about the bank's internal IT network, and more. He contacted the bank, who fixed the issue, but later denied it ever happened.
This discussion has been archived. No new comments can be posted.

Danish Bank Leaves Server In Debug Mode, Exposes Sensitive Data In JS Comments

Comments Filter:
  • I once did a penetration test on a web site / app running under Tomcat, for an Austrian ministry. (Someone breaking into the system might have involved quite the financial loss.) I broke off the test after a couple of minutes: the guys, eager to "do devops", had deployed binaries... and a .jar file with the complete source code.
  • by neoritter ( 3021561 ) on Wednesday October 07, 2015 @10:57AM (#50679621)

    Seriously, clean up your code before committing or signing off on a task.

  • by xxxJonBoyxxx ( 565205 ) on Wednesday October 07, 2015 @10:57AM (#50679623)

    From TFA, the bank wrote "We investigated your report immediately. However, the data you saw was not real customer sessions or data – just some debug information. Our developers corrected this later that day."

    Sounds like a lot of crying over nothing. The bank acknowledged and fixed the problem. Winning, right?

    • by MTEK ( 2826397 )

      We investigated your report immediately. However, the data you saw was not real customer sessions or data – just some debug information.

      --Baghdad Bob

  • by MnO-Raphael ( 601885 ) on Wednesday October 07, 2015 @11:11AM (#50679707)
    The researcher didn't actually test if he could hijack a session.

    If he had tried he would see that the cookies in question are not authentication cookies used by the bank. The cookies in question are described as 'statistical' cookies on http://www.danskebank.com/en-u... [danskebank.com]

    I'm really amazed about the publicity one single blogger can get with such undocumented claims.
    • That page does not list these two cookies:

      mbox=session#1440619645928-786416#1440611516;
      QSI_HistorySession=http%3A%2F%2Fwww.danskebank.dk%2Fda-dk%2FPrivat%2FPages%2FPrivat.aspx~1440619560049

      It's clearly ASP.NET, and WebForms. The dump is the Request.ServerVariables collection, and if you need to debug issues it's fairly standard. If you need to put it in production code, though, you always put it on a server that your load balancer will skip, because that should not be seen, at all, by anyone.

      But how would

  • They should have bought this book [amazon.com].
  • False Alarm (Score:4, Interesting)

    by m2pc ( 546641 ) on Wednesday October 07, 2015 @11:36AM (#50679889)
    The part where they wrote that the "HTTP_CLIENTIP" variable was apparently someone else's (another bank customer's) IP seems incorrect.

    Analyzing the data I saw something strange. My own IP address wasn’t listed in variable HTTP_CLIENTIP and this listed address was also not an internal server IP address. When I translated IP address 80.166.145.257 to the corresponding fully qualified domain name, the result I got was 80-166-145-257-static.dk.customer.tdc.net. Notice the .dk in the result? That means it’s an IP address from Denmark. I live in The Netherlands myself. That probably means that the IP address I’m seeing is from a web site visitor, and very likely a customer of Danske Bank. If I refreshed the login screen again, I would get to see a different set of data, from another customer. I repeated that a few times and got back different records each time. This observation is very interesting, but then again: very alarming.

    Most likely this was simply their IP address or the IP address of some networking hardware or proxy downstream from them and the only reason it changed between refreshes was that it was a dynamic IP.

    Simply dumping the contents of the $_SERVER variable in PHP could yield a screen full of variables like this. Many of these name/value pairs are also present in the HTTP headers that are exchanged between the client and server.

  • Umm... with exactly none of the information that was being dumped (looks like server headers, like $_REQUEST if php) could anything have been done.. Nobody in their right mind stores usernames/passwords in cookies, cookies are NOT secure. Usually it's a session ID, or a session object, which when combined with an ip or something provides the state of the session. Breadcrumbs, some basic user info, etc.
    • Also, he says it's insecure to use unencrypted on the backend? Well, since the backend servers aren't doing the handshake unless the frontend is a pure passthrough-load balancer, this makes perfect sense. Why would the worker nodes go through the process of doing their own SSL connections?
  • can be sued / jailed for loses at least in usa for doing that hear.

  • Danske is infamous for rewriting their online banking system as a Java applet around 2008. Standard https security wasn't enough so they decided to roll their own. I switched to another bank before the update took place, and pretty soon other people left the bank in hordes. They later returned to https, but the damage to reputation was already done.

"Everything should be made as simple as possible, but not simpler." -- Albert Einstein

Working...