Hacker slams Danske Bank for alleged security failure

Source: National Cyber Security – Produced By Gregory Evans

Denmark’s Danske Bank has been named and shamed by a white hat hacker for allegedly leaking confidential customer data in the form of session cookies on its public website. IT consultant Sijmen Ruwhof says he found the vulnerability within minutes of exploring the HTML code deployed on the bank’s login screen. In a blog post explaining the exploit, Ruwhof says that each time he attempted to login, the site would randomly spit out the IP address and stored cookies of an actual Danske Bank customer. “I’m shocked. I can’t believe this. It’s so obvious and in plain sight! How come that nobody at Danske Bank noticed this before?” he writes. “If the customer from the data that we’re seeing is logged in at the moment, and if I copy those cookies and import them into my browser, then I’m also logged in as that customer. That’s how cookies work, and thus that’s how identify theft works.” Ruwhof says he contacted Danske Bank to try to point out the flaw but failed to get beyond the switchboard. Instead he searched for the names of IT security staff on LinkedIn and posted his findings. Within 24-hours the vulnerability was patched, but Ruwhof […]

For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com

The post Hacker slams Danske Bank for alleged security failure appeared first on National Cyber Security.

View full post on National Cyber Security