Anonymous said that the banking user information is stored in an unencrypted form.
According to the anonymous user on the web-site Full Disclosure, portal bank Santander maintains confidential financial information to users in plain text in a cookie.
The independent expert learned that when you visit the various sections of the resource https://retail.santander.co.uk (which already has a number of vulnerabilities including XSS) in the session file can store information such as the user’s full name, credit card, bank account number, as well as UserID user.
According to the researcher, when you visit the section “Credit Cards” on the web-site Santander user’s browser cookie is installed with a complete card:
rinfo=/EBAN_Cards_ENS/BtoChannelDriver.ssobto?dse_operationName=viewRecentTransactions&cardSelected=5***************
Confidential information in NewUniversalCookie, encrypted format base64, after decoding is as follows:
<?xml version=\”1.0\”
encoding=\”ISO-8859-1\”?><cookie><definitionName>NewUserPasswordCookie</definitionName><name>*****</name><alias>*****</alias><userID>*****</userID></cookie>
In its report on the Full Disclosure expert also provided a link to the privacy policy Santander, which states that “On our website, these cookies do not contain personal information, and cannot be used to identify you”
