mailing list archives
Is it OK to hold credit card numbers in cookies? Santander?
From: auto62098873 () hushmail com
Date: Sun, 14 Oct 2012 16:15:05 +0100
Santander are a joke when it comes to security. Fed up of two years of battling with them to fix issues any other bank
would have fixed in seconds, things like XSS on login pages etc. Time to hit full disclosure with some of these issues
in the hope they'll change their game and start to take their customers security seriously:
Title: Sensitive Data In Cookies
Date published: 2012-03-31 08:16:26 PM
upSploit Ref: UPS-2012-0004
Santander's online banking stores a sensitive, including full credit card numbers, in its cookies putting this
information at risk.
(confirmed for personal online banking)
*Description of Issue*
Santander online banking unnecessarily stores sensitive information within cookies. Depending on which areas of online
banking the user visits this information may include the following:
* Full name
* PAN (Credit card number)
* Bank account number and sort code
Of particular concern is the full PAN, which PCI DSS states should be rendered unreadable anywhere it is stored.
Within Santander's "Security & Privacy" section they state that: "Santander's site-tracking cookies don’t contain name
It should be noted that the HTTPOnly flag is not used on any cookies exposing them to increased greater risk of
exposure (for example through XSS) - such as the XSS which was present on the login page for ~1 year before being
Additionally, whilst the cookies expire at the end of a session, they are not overwritten on logout. This mean any user
who does not close their browser, even if they log out correctly, will still have these cookies present until they
close their browser. Thus increasing the window for exposure.
The cookies holding the most sensitive information include:
On browsing to the "Credit Cards" section and selecting a credit card a cookie such as the following is set (credit
card number obscured):
The sensitive information in the NewUniversalCookie is base64 encoded, when decoded it is of the format shown below
(sensitive data has been stripped):
Santander's Data Protection Statement:
PCI DSS v2.0:
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Is it OK to hold credit card numbers in cookies? Santander? auto62098873 (Oct 15)