Slashdot Mirror

← Back to Stories (view on slashdot.org)

Danish Bank Leaves Server In Debug Mode, Exposes Sensitive Data In JS Comments

Posted by Soulskill on from the in-the-case-of-face-v.-palm dept.

An anonymous reader writes: Dutch IT security expert Sijmen Ruwhof has found a pretty big blunder on the part of Danske Bank, Denmark's biggest bank, which exposed sensitive user session information in the form of an encoded data dump, in their banking portal's JavaScript files. The data contained client IP addresses, user agent strings, cookie information, details about the bank's internal IT network, and more. He contacted the bank, who fixed the issue, but later denied it ever happened.

1 of 41 comments (clear)

  1. These are not the Auth Cookies you are looking for by MnO-Raphael · · Score: 5, Interesting

    The researcher didn't actually test if he could hijack a session.

    If he had tried he would see that the cookies in question are not authentication cookies used by the bank. The cookies in question are described as 'statistical' cookies on http://www.danskebank.com/en-u...

    I'm really amazed about the publicity one single blogger can get with such undocumented claims.