Santander are a joke when it comes to security. Fed up of two years of battling with them to fix issues any other bank would have fixed in seconds, things like XSS on login pages etc. Time to hit full disclosure with some of these issues in the hope they'll change their game and start to take their customers security seriously:



*Advisory Information*


 Title: Sensitive Data In Cookies 
 Date published: 2012-03-31 08:16:26 PM
 upSploit Ref: UPS-2012-0004
 
 *Advisory Summary*
 Santander's online banking stores a sensitive, including full credit card numbers, in its cookies putting this information at risk.
 
 
*Vendor*
 Santander (UK)
 
*Affected Software*
 Online Banking
 
 https://retail.santander.co.uk
(confirmed for personal online banking)



*Description of Issue*
 Santander online banking unnecessarily stores sensitive information within cookies. Depending on which areas of online banking the user visits this information may include the following:
* Full name
* PAN (Credit card number)
* Bank account number and sort code
* Alias
* UserID


Of particular concern is the full PAN, which PCI DSS states should be rendered unreadable anywhere it is stored.


Within Santander's "Security & Privacy" section they state that: "Santander's site-tracking cookies don’t contain name or address information". The use of cookies is therefore not in line with this policy.


It should be noted that the HTTPOnly flag is not used on any cookies exposing them to increased greater risk of exposure (for example through XSS) - such as the XSS which was present on the login page for ~1 year before being inadvertently fixed!!.


Additionally, whilst the cookies expire at the end of a session, they are not overwritten on logout. This mean any user who does not close their browser, even if they log out correctly, will still have these cookies present until they close their browser. Thus increasing the window for exposure.


 
 *PoC*
 The cookies holding the most sensitive information include:
* rinfo
* NewUniversalCookie


On browsing to the "Credit Cards" section and selecting a credit card a cookie such as the following is set (credit card number obscured):


rinfo=/EBAN_Cards_ENS/BtoChannelDriver.ssobto?dse_operationName=viewRecentTransactions&cardSelected=5***************


The sensitive information in the NewUniversalCookie is base64 encoded, when decoded it is of the format shown below (sensitive data has been stripped):


<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><cookie><definitionName>NewUserPasswordCookie</definitionName><name>*****</name><alias>*****</alias><userID>*****</userID></cook"


 
*Credits*
 ee4f99e7e240e4ebef195678a635c0a9


 
*References*
 Santander's Data Protection Statement:
http://tinyurl.com/santander-dpa


Santanders Cookie Policy stating "cookies do not contain personal information, and cannot be used to identify you"
http://tinyurl.com/santanderCookies


PCI DSS v2.0:
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf