Slashdot Mirror

← Back to Stories (view on slashdot.org)

Danish Bank Leaves Server In Debug Mode, Exposes Sensitive Data In JS Comments

Posted by Soulskill on from the in-the-case-of-face-v.-palm dept.

An anonymous reader writes: Dutch IT security expert Sijmen Ruwhof has found a pretty big blunder on the part of Danske Bank, Denmark's biggest bank, which exposed sensitive user session information in the form of an encoded data dump, in their banking portal's JavaScript files. The data contained client IP addresses, user agent strings, cookie information, details about the bank's internal IT network, and more. He contacted the bank, who fixed the issue, but later denied it ever happened.

5 of 41 comments (clear)

  1. Clean up your code! by neoritter · · Score: 2

    Seriously, clean up your code before committing or signing off on a task.

  2. They didn't deny it happened, just that it was bad by xxxJonBoyxxx · · Score: 4, Insightful

    From TFA, the bank wrote "We investigated your report immediately. However, the data you saw was not real customer sessions or data – just some debug information. Our developers corrected this later that day."

    Sounds like a lot of crying over nothing. The bank acknowledged and fixed the problem. Winning, right?

  3. These are not the Auth Cookies you are looking for by MnO-Raphael · · Score: 5, Interesting

    The researcher didn't actually test if he could hijack a session.

    If he had tried he would see that the cookies in question are not authentication cookies used by the bank. The cookies in question are described as 'statistical' cookies on http://www.danskebank.com/en-u...

    I'm really amazed about the publicity one single blogger can get with such undocumented claims.

  4. False Alarm by m2pc · · Score: 3, Interesting
    The part where they wrote that the "HTTP_CLIENTIP" variable was apparently someone else's (another bank customer's) IP seems incorrect.

    Analyzing the data I saw something strange. My own IP address wasn’t listed in variable HTTP_CLIENTIP and this listed address was also not an internal server IP address. When I translated IP address 80.166.145.257 to the corresponding fully qualified domain name, the result I got was 80-166-145-257-static.dk.customer.tdc.net. Notice the .dk in the result? That means it’s an IP address from Denmark. I live in The Netherlands myself. That probably means that the IP address I’m seeing is from a web site visitor, and very likely a customer of Danske Bank. If I refreshed the login screen again, I would get to see a different set of data, from another customer. I repeated that a few times and got back different records each time. This observation is very interesting, but then again: very alarming.

    Most likely this was simply their IP address or the IP address of some networking hardware or proxy downstream from them and the only reason it changed between refreshes was that it was a dynamic IP.

    Simply dumping the contents of the $_SERVER variable in PHP could yield a screen full of variables like this. Many of these name/value pairs are also present in the HTTP headers that are exchanged between the client and server.

  5. Re:These ARE the Auth Cookies you are looking for by Bite+The+Pillow · · Score: 2

    That page does not list these two cookies:

    mbox=session#1440619645928-786416#1440611516;
    QSI_HistorySession=http%3A%2F%2Fwww.danskebank.dk%2Fda-dk%2FPrivat%2FPages%2FPrivat.aspx~1440619560049

    It's clearly ASP.NET, and WebForms. The dump is the Request.ServerVariables collection, and if you need to debug issues it's fairly standard. If you need to put it in production code, though, you always put it on a server that your load balancer will skip, because that should not be seen, at all, by anyone.

    But how would you get someone else's session? It's impossible.

    Scott Hanselman has one suggestion as to how it might happen, and it's 100% code errors.

    There's a comment there "You just found the famous TLS bug :)" So maybe not impossible. Windows uses Thread Local Storage to store things like static variables. The thread handling the request might change, and ASP.NET properly sets the .NET Thread data (and HttpContext data for MVC applications) every time it processes an event so it should all line up. But, static variables are thread-locked, so they can transfer between request handlers. That's the TLS Bug referenced there. It is possible to access someone else's session data if it is stored in TLS (static variable is one possibility).

    So, this is not "a lot of crying over nothing" - it could be very serious. Having said all of that, it is very unlikely that you would see someone else's information consistently with that bug - it might show up once and go away.

    Two weeks after I initially found this critical vulnerability, I took the time to find a way to report it to them (on August 26).

    HTTP_SOPSESMTTS = 2015-08-26-20.03.26.132946
    HTTP_SOPTID = 2015-08-26-22.07.44.322171

    If this were replay data for load tests or unit tests, it's unlikely that the dates would be the same as when it was reported. The user admits altering some of the data, so we can't draw concrete conclusions there.

    A security professional wouldn't draw attention to *possible* leakage of Basic Auth, because that's really unlikely at the SSL interface behind a username/password login. At least a knowledgeable one, I think.

    If the IP address were a load balancer, the User agent should have matched what the user expected. Dynamic content hosted by a CDN/edge provider? If the data changed, it's probably dynamic. So, what is the conclusion?

    I don't know, but it doesn't sound like something that can be dismissed so nonchalantly. If users were getting each others' sessions, we would likely have heard about it, since it happened for two weeks. That's the only thing I can conclude, but that supposes that the news would have made it to international press.