[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Is it OK to hold credit card numbers in cookies? Santander?
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Is it OK to hold credit card numbers in cookies? Santander?
- From: auto62098873@xxxxxxxxxxxx
- Date: Sun, 14 Oct 2012 16:15:05 +0100
Santander are a joke when it comes to security. Fed up of two years of battling
with them to fix issues any other bank would have fixed in seconds, things like
XSS on login pages etc. Time to hit full disclosure with some of these issues
in the hope they'll change their game and start to take their customers
security seriously:
*Advisory Information*
Title: Sensitive Data In Cookies
Date published: 2012-03-31 08:16:26 PM
upSploit Ref: UPS-2012-0004
*Advisory Summary*
Santander's online banking stores a sensitive, including full credit card
numbers, in its cookies putting this information at risk.
*Vendor*
Santander (UK)
*Affected Software*
Online Banking
https://retail.santander.co.uk
(confirmed for personal online banking)
*Description of Issue*
Santander online banking unnecessarily stores sensitive information within
cookies. Depending on which areas of online banking the user visits this
information may include the following:
* Full name
* PAN (Credit card number)
* Bank account number and sort code
* Alias
* UserID
Of particular concern is the full PAN, which PCI DSS states should be rendered
unreadable anywhere it is stored.
Within Santander's "Security & Privacy" section they state that: "Santander's
site-tracking cookies don’t contain name or address information". The use of
cookies is therefore not in line with this policy.
It should be noted that the HTTPOnly flag is not used on any cookies exposing
them to increased greater risk of exposure (for example through XSS) - such as
the XSS which was present on the login page for ~1 year before being
inadvertently fixed!!.
Additionally, whilst the cookies expire at the end of a session, they are not
overwritten on logout. This mean any user who does not close their browser,
even if they log out correctly, will still have these cookies present until
they close their browser. Thus increasing the window for exposure.
*PoC*
The cookies holding the most sensitive information include:
* rinfo
* NewUniversalCookie
On browsing to the "Credit Cards" section and selecting a credit card a cookie
such as the following is set (credit card number obscured):
rinfo=/EBAN_Cards_ENS/BtoChannelDriver.ssobto?dse_operationName=viewRecentTransactions&cardSelected=5***************
The sensitive information in the NewUniversalCookie is base64 encoded, when
decoded it is of the format shown below (sensitive data has been stripped):
<?xml version=\"1.0\"
encoding=\"ISO-8859-1\"?><cookie><definitionName>NewUserPasswordCookie</definitionName><name>*****</name><alias>*****</alias><userID>*****</userID></cook"
*Credits*
ee4f99e7e240e4ebef195678a635c0a9
*References*
Santander's Data Protection Statement:
http://tinyurl.com/santander-dpa
Santanders Cookie Policy stating "cookies do not contain personal information,
and cannot be used to identify you"
http://tinyurl.com/santanderCookies
PCI DSS v2.0:
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/