Danish Bank Leaves Server In Debug Mode, Exposes Sensitive Data In JS Comments

An anonymous reader writes: Dutch IT security expert Sijmen Ruwhof has found a pretty big blunder on the part of Danske Bank, Denmark's biggest bank, which exposed sensitive user session information in the form of an encoded data dump, in their banking portal's JavaScript files. The data contained client IP addresses, user agent strings, cookie information, details about the bank's internal IT network, and more. He contacted the bank, who fixed the issue, but later denied it ever happened.

These are not the Auth Cookies you are looking for

[MnO-Raphael]

The researcher didn't actually test if he could hijack a session.

If he had tried he would see that the cookies in question are not authentication cookies used by the bank. The cookies in question are described as 'statistical' cookies on http://www.danskebank.com/en-u...

I'm really amazed about the publicity one single blogger can get with such undocumented claims.

False Alarm

[m2pc]

The part where they wrote that the "HTTP_CLIENTIP" variable was apparently someone else's (another bank customer's) IP seems incorrect.

Analyzing the data I saw something strange. My own IP address wasn’t listed in variable HTTP_CLIENTIP and this listed address was also not an internal server IP address. When I translated IP address 80.166.145.257 to the corresponding fully qualified domain name, the result I got was 80-166-145-257-static.dk.customer.tdc.net. Notice the .dk in the result? That means it’s an IP address from Denmark. I live in The Netherlands myself. That probably means that the IP address I’m seeing is from a web site visitor, and very likely a customer of Danske Bank. If I refreshed the login screen again, I would get to see a different set of data, from another customer. I repeated that a few times and got back different records each time. This observation is very interesting, but then again: very alarming.

Most likely this was simply their IP address or the IP address of some networking hardware or proxy downstream from them and the only reason it changed between refreshes was that it was a dynamic IP.

Simply dumping the contents of the $_SERVER variable in PHP could yield a screen full of variables like this. Many of these name/value pairs are also present in the HTTP headers that are exchanged between the client and server.

Re:Similar experience here

[bobbied]

Unless there's DB credentials or other sensitive information in it.

DB credentials In the SOURCE code? security: FAIL.

You NEVER put the DB credentials in the source, nor do you put things like internal IP's or hostnames. NEVER EVER. At the very least you put stuff like this in separately maintained configuration files. If you are wanting real security then you encrypt said files and provide the decryption key upon system startup. Just putting in plain text credentials is akin to hard coding SQL statements and other such foolish things I've seen folks do. If you have a database, go ask your DBA (you have a DBA right?) how to properly use the thing. If you don't have a DBA, go get one. Cannot afford a DBA? Get another job where they know how to spend their money properly...