Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Is it OK to hold credit card numbers in cookies? Santander?
From: auto62098873 () hushmail com
Date: Sun, 14 Oct 2012 16:15:05 +0100

Santander are a joke when it comes to security. Fed up of two years of battling with them to fix issues any other bank 
would have fixed in seconds, things like XSS on login pages etc. Time to hit full disclosure with some of these issues 
in the hope they'll change their game and start to take their customers security seriously:



*Advisory Information*


 Title: Sensitive Data In Cookies 
 Date published: 2012-03-31 08:16:26 PM
 upSploit Ref: UPS-2012-0004
 
 *Advisory Summary*
 Santander's online banking stores a sensitive, including full credit card numbers, in its cookies putting this 
information at risk.
 
 
*Vendor*
 Santander (UK)
 
*Affected Software*
 Online Banking
 
 https://retail.santander.co.uk
(confirmed for personal online banking)



*Description of Issue*
 Santander online banking unnecessarily stores sensitive information within cookies. Depending on which areas of online 
banking the user visits this information may include the following:
* Full name
* PAN (Credit card number)
* Bank account number and sort code
* Alias
* UserID


Of particular concern is the full PAN, which PCI DSS states should be rendered unreadable anywhere it is stored.


Within Santander's "Security & Privacy" section they state that: "Santander's site-tracking cookies don’t contain name 
or address information". The use of cookies is therefore not in line with this policy.


It should be noted that the HTTPOnly flag is not used on any cookies exposing them to increased greater risk of 
exposure (for example through XSS) - such as the XSS which was present on the login page for ~1 year before being 
inadvertently fixed!!.


Additionally, whilst the cookies expire at the end of a session, they are not overwritten on logout. This mean any user 
who does not close their browser, even if they log out correctly, will still have these cookies present until they 
close their browser. Thus increasing the window for exposure.


 
 *PoC*
 The cookies holding the most sensitive information include:
* rinfo
* NewUniversalCookie


On browsing to the "Credit Cards" section and selecting a credit card a cookie such as the following is set (credit 
card number obscured):


rinfo=/EBAN_Cards_ENS/BtoChannelDriver.ssobto?dse_operationName=viewRecentTransactions&cardSelected=5***************


The sensitive information in the NewUniversalCookie is base64 encoded, when decoded it is of the format shown below 
(sensitive data has been stripped):


<?xml version=\"1.0\" 
encoding=\"ISO-8859-1\"?><cookie><definitionName>NewUserPasswordCookie</definitionName><name>*****</name><alias>*****</alias><userID>*****</userID></cook"


 
*Credits*
 ee4f99e7e240e4ebef195678a635c0a9


 
*References*
 Santander's Data Protection Statement:
http://tinyurl.com/santander-dpa


Santanders Cookie Policy stating "cookies do not contain personal information, and cannot be used to identify you"
http://tinyurl.com/santanderCookies


PCI DSS v2.0:
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
 

                

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault