Bank Santander stores user passwords in a cookie

Posted: October 17, 2012 in IT Security News, Vulnerability News
Tags: , , ,

VulnerabilityAnonymous said that the banking user information is stored in an unencrypted form.

According to the anonymous user on the web-site Full Disclosure, portal bank Santander maintains confidential financial information to users in plain text in a cookie.

The independent expert learned that when you visit the various sections of the resource https://retail.santander.co.uk (which already has a number of vulnerabilities including XSS) in the session file can store information such as the user’s full name, credit card, bank account number, as well as UserID user.

According to the researcher, when you visit the section “Credit Cards” on the web-site Santander user’s browser cookie is installed with a complete card:

rinfo=/EBAN_Cards_ENS/BtoChannelDriver.ssobto?dse_operationName=viewRecentTransactions&cardSelected=5***************

Confidential information in NewUniversalCookie, encrypted format base64, after decoding is as follows:

<?xml version=\”1.0\”

encoding=\”ISO-8859-1\”?><cookie><definitionName>NewUserPasswordCookie</definitionName><name>*****</name><alias>*****</alias><userID>*****</userID></cookie>

In its report on the Full Disclosure expert also provided a link to the privacy policy Santander, which states that “On our website, these cookies do not contain personal information, and cannot be used to identify you”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s