Danish Bank Leaves Server In Debug Mode, Exposes Sensitive Data In JS Comments

← Back to Stories (view on slashdot.org)

Danish Bank Leaves Server In Debug Mode, Exposes Sensitive Data In JS Comments

Posted by Soulskill on Wednesday October 7, 2015 @03:52AM from the in-the-case-of-face-v.-palm dept.

An anonymous reader writes: Dutch IT security expert Sijmen Ruwhof has found a pretty big blunder on the part of Danske Bank, Denmark's biggest bank, which exposed sensitive user session information in the form of an encoded data dump, in their banking portal's JavaScript files. The data contained client IP addresses, user agent strings, cookie information, details about the bank's internal IT network, and more. He contacted the bank, who fixed the issue, but later denied it ever happened.

41 comments

Min score:

Reason:

Sort:

Similar experience here by vikingpower · 2015-10-07 03:56 · Score: 0

I once did a penetration test on a web site / app running under Tomcat, for an Austrian ministry. (Someone breaking into the system might have involved quite the financial loss.) I broke off the test after a couple of minutes: the guys, eager to "do devops", had deployed binaries... and a .jar file with the complete source code.

--
Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
1. Re:Similar experience here by Anonymous Coward · 2015-10-07 04:27 · Score: 0
  
  Oh no, because having source code is a problem? Having source code to a website shouldn't make any difference when it comes to security. You are talking about security via obscurity. What you are talking about is a completely different issue.
2. Re: Similar experience here by Anonymous Coward · 2015-10-07 04:29 · Score: 0
  
  Your apps should be secure with the source visible. A jar classes file are easily reversed to its Java sources format
3. Re:Similar experience here by Anonymous Coward · 2015-10-07 04:34 · Score: 0
  
  Unless there's DB credentials or other sensitive information in it.
4. Re:Similar experience here by sexconker · 2015-10-07 04:38 · Score: 0
  
  Then those credentials would be in a compiled binary.
  The proper way to do credentials is to supply them by hand when a server/service starts up.
  Yes, that means physical, human intervention every time the server/service restarts.
5. Re:Similar experience here by Anonymous Coward · 2015-10-07 05:10 · Score: 0, Redundant
  
  Whenever I get modpoints, I'll just mod all your posts as troll until you stop setting the font.
6. Re:Similar experience here by bobbied · 2015-10-07 05:28 · Score: 1, Interesting
  
  Unless there's DB credentials or other sensitive information in it.
  DB credentials In the SOURCE code? security: FAIL.
  You NEVER put the DB credentials in the source, nor do you put things like internal IP's or hostnames. NEVER EVER. At the very least you put stuff like this in separately maintained configuration files. If you are wanting real security then you encrypt said files and provide the decryption key upon system startup. Just putting in plain text credentials is akin to hard coding SQL statements and other such foolish things I've seen folks do. If you have a database, go ask your DBA (you have a DBA right?) how to properly use the thing. If you don't have a DBA, go get one. Cannot afford a DBA? Get another job where they know how to spend their money properly...
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
7. Re:Similar experience here by Anonymous Coward · 2015-10-07 07:04 · Score: 0
  
  Requiring human interaction at startup with possibly even hundred of different service credentials would cause a bit of a problem when trying to reduce server downtime when problems occur. And it would make dynamic scaling of a service pretty much impossible.
8. Re:Similar experience here by Zontar+The+Mindless · 2015-10-07 07:24 · Score: 1
  
  Indeed, it's quite annoying.
  
  --
  Il n'y a pas de Planet B.
9. Re:Similar experience here by Anonymous Coward · 2015-10-07 18:09 · Score: 0
  
  So if he hadn't deployed that .jar with source code, it would have taken you 5 additional minutes to download JD and do it yourself?
Clean up your code! by neoritter · 2015-10-07 03:57 · Score: 2

Seriously, clean up your code before committing or signing off on a task.
They didn't deny it happened, just that it was bad by xxxJonBoyxxx · 2015-10-07 03:57 · Score: 4, Insightful

From TFA, the bank wrote "We investigated your report immediately. However, the data you saw was not real customer sessions or data – just some debug information. Our developers corrected this later that day."
Sounds like a lot of crying over nothing. The bank acknowledged and fixed the problem. Winning, right?
These are not the Auth Cookies you are looking for by MnO-Raphael · 2015-10-07 04:11 · Score: 5, Interesting

The researcher didn't actually test if he could hijack a session.

If he had tried he would see that the cookies in question are not authentication cookies used by the bank. The cookies in question are described as 'statistical' cookies on http://www.danskebank.com/en-u...

I'm really amazed about the publicity one single blogger can get with such undocumented claims.
The question that everyone wants to know is... by Anonymous Coward · 2015-10-07 04:12 · Score: 0

Was it a Dane who did this or an Indian? H1Bs put the "B" in B-Player.
They should have by phantomfive · 2015-10-07 04:13 · Score: 1

They should have bought this book.

--
"First they came for the slanderers and i said nothing."
Somethings rotten by Anonymous Coward · 2015-10-07 04:35 · Score: 0, Redundant

In Denmark.
False Alarm by m2pc · 2015-10-07 04:36 · Score: 3, Interesting

The part where they wrote that the "HTTP_CLIENTIP" variable was apparently someone else's (another bank customer's) IP seems incorrect.

Analyzing the data I saw something strange. My own IP address wasn’t listed in variable HTTP_CLIENTIP and this listed address was also not an internal server IP address. When I translated IP address 80.166.145.257 to the corresponding fully qualified domain name, the result I got was 80-166-145-257-static.dk.customer.tdc.net. Notice the .dk in the result? That means it’s an IP address from Denmark. I live in The Netherlands myself. That probably means that the IP address I’m seeing is from a web site visitor, and very likely a customer of Danske Bank. If I refreshed the login screen again, I would get to see a different set of data, from another customer. I repeated that a few times and got back different records each time. This observation is very interesting, but then again: very alarming.
Most likely this was simply their IP address or the IP address of some networking hardware or proxy downstream from them and the only reason it changed between refreshes was that it was a dynamic IP.
Simply dumping the contents of the $_SERVER variable in PHP could yield a screen full of variables like this. Many of these name/value pairs are also present in the HTTP headers that are exchanged between the client and server.
1. Re:False Alarm by gweihir · 2015-10-07 06:26 · Score: 1
  
  One scenario for that would be a load-balancer in a specific configuration in the loop.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
2. Re:False Alarm by spongman · 2015-10-07 06:32 · Score: 1
  
  that doesn't explain the user-agent discrepancy.
Deny, deny, deny by Anonymous Coward · 2015-10-07 04:37 · Score: 0

THAT's how you do security . . .
1. Re:Deny, deny, deny by bobbied · 2015-10-07 05:30 · Score: 1
  
  THAT's how you do security . . .
  Well, it's a start anyway.... That they turned off the debugging information was also a step in the right direction too...
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Re:They didn't deny it happened, just that it was by MTEK · 2015-10-07 04:42 · Score: 1

We investigated your report immediately. However, the data you saw was not real customer sessions or data – just some debug information.
--Baghdad Bob
What's the problem? by Anonymous Coward · 2015-10-07 05:05 · Score: 0

I mean, who puts their pastries in a bank anyway? And, what could possible be sensitive about this information?
Joe Schmo doesn't like apple Danishes? Is allergic to cherry?
What IP could it really be? by grimJester · 2015-10-07 05:21 · Score: 1

He just says "a different set of data, from another customer" without saying what the IPs were. It's a bit of a stretch to assume it's the IP of another end user, but what could it reasonably be?
Noob Analysis by barbariccow · 2015-10-07 06:17 · Score: 1

Umm... with exactly none of the information that was being dumped (looks like server headers, like $_REQUEST if php) could anything have been done.. Nobody in their right mind stores usernames/passwords in cookies, cookies are NOT secure. Usually it's a session ID, or a session object, which when combined with an ip or something provides the state of the session. Breadcrumbs, some basic user info, etc.
1. Re:Noob Analysis by barbariccow · 2015-10-07 06:22 · Score: 1
  
  Also, he says it's insecure to use unencrypted on the backend? Well, since the backend servers aren't doing the handshake unless the frontend is a pure passthrough-load balancer, this makes perfect sense. Why would the worker nodes go through the process of doing their own SSL connections?
2. Re:Noob Analysis by Anonymous Coward · 2015-10-07 10:14 · Score: 0
  
  Usually it's a session ID, or a session object, which when combined with an ip is a great way to make your site unusable for people in networks with load balanced proxy servers.
  FTFY.
3. Re:Noob Analysis by barbariccow · 2015-10-07 10:38 · Score: 1
  
  I said "ip or something" -- I didn't feel like typing a whole lesson on UUID generation and tracking, the point was to give an idea about identification. Also, if you're using SSL through a proxy server, why not just give up your credentials plaintext?
4. Re:Noob Analysis by Anonymous Coward · 2015-10-07 11:19 · Score: 0
  
  You claim a dump of someone else's $_REQUEST is useless to hijack his session, because session ID (included in said dump) is "combined with an ip or something". I just gave you one good reason why it's usually *not* combined with an IP, and I'm now dying to know what's that mythical "or something" that can't be spoofed.
can be sued / jailed for loses at least in usa for by Joe_Dragon · 2015-10-07 07:55 · Score: 1

can be sued / jailed for loses at least in usa for doing that hear.
he should count his blessings by Anonymous Coward · 2015-10-07 08:43 · Score: 0

In the Fascist States of Amerika, instead of a simple denial, government thugs would be busting down his door with their full auto assault rifles trained on him for 1337 h4x0r'ing the bank.
HTTPS by Anonymous Coward · 2015-10-07 09:23 · Score: 0

"Furthermore, he was also able to come to the conclusion that the bank does not use HTTPS on its internal network, even if customer connections are using HTTPS.
While internal networks are usually pretty well isolated, this is generally considered a bad security practice, because even if attackers never breach the internal network, information about customer activities are still being exchanged in clear text inside it."
No, it's called SSL Offloading and it's a pretty common practice.
Related background by TeknoHog · 2015-10-07 10:42 · Score: 1

Danske is infamous for rewriting their online banking system as a Java applet around 2008. Standard https security wasn't enough so they decided to roll their own. I switched to another bank before the update took place, and pretty soon other people left the bank in hordes. They later returned to https, but the damage to reputation was already done.

--
Escher was the first MC and Giger invented the HR department.
Re:These ARE the Auth Cookies you are looking for by Bite+The+Pillow · 2015-10-07 12:08 · Score: 2

That page does not list these two cookies:

mbox=session#1440619645928-786416#1440611516;
QSI_HistorySession=http%3A%2F%2Fwww.danskebank.dk%2Fda-dk%2FPrivat%2FPages%2FPrivat.aspx~1440619560049
It's clearly ASP.NET, and WebForms. The dump is the Request.ServerVariables collection, and if you need to debug issues it's fairly standard. If you need to put it in production code, though, you always put it on a server that your load balancer will skip, because that should not be seen, at all, by anyone.
But how would you get someone else's session? It's impossible.
Scott Hanselman has one suggestion as to how it might happen, and it's 100% code errors.
There's a comment there "You just found the famous TLS bug :)" So maybe not impossible. Windows uses Thread Local Storage to store things like static variables. The thread handling the request might change, and ASP.NET properly sets the .NET Thread data (and HttpContext data for MVC applications) every time it processes an event so it should all line up. But, static variables are thread-locked, so they can transfer between request handlers. That's the TLS Bug referenced there. It is possible to access someone else's session data if it is stored in TLS (static variable is one possibility).
So, this is not "a lot of crying over nothing" - it could be very serious. Having said all of that, it is very unlikely that you would see someone else's information consistently with that bug - it might show up once and go away.

Two weeks after I initially found this critical vulnerability, I took the time to find a way to report it to them (on August 26).

HTTP_SOPSESMTTS = 2015-08-26-20.03.26.132946
HTTP_SOPTID = 2015-08-26-22.07.44.322171
If this were replay data for load tests or unit tests, it's unlikely that the dates would be the same as when it was reported. The user admits altering some of the data, so we can't draw concrete conclusions there.
A security professional wouldn't draw attention to *possible* leakage of Basic Auth, because that's really unlikely at the SSL interface behind a username/password login. At least a knowledgeable one, I think.
If the IP address were a load balancer, the User agent should have matched what the user expected. Dynamic content hosted by a CDN/edge provider? If the data changed, it's probably dynamic. So, what is the conclusion?
I don't know, but it doesn't sound like something that can be dismissed so nonchalantly. If users were getting each others' sessions, we would likely have heard about it, since it happened for two weeks. That's the only thing I can conclude, but that supposes that the news would have made it to international press.
Ooooops! by Anonymous Coward · 2015-10-07 15:27 · Score: 0

Major Oops!
Re:These ARE the Auth Cookies you are looking for by MnO-Raphael · 2015-10-07 16:31 · Score: 1

QSI_HistorySession is listed as a "user survey" cookie on the danish version.

mbox is probably Site Catalyst: http://cookiepedia.co.uk/cooki...

Anyway, A danish customer checked it and found out that session related cookies to the homebanking solution (which is hosted elsewhere) is called NSSID. https://twitter.com/kimtiede/s...