Deplorable security flaws in Santander UK banking apps and site
Posted on 11 December 2013.
When banks urge customers to use their mobile banking apps and sites for making online payments, users usually assume these methods are secure and do so.

But Paul Moore, a UK-based security researcher, has discovered that it's definitely not the case with the site and mobile app of Santander UK, a subsidiary of the widespread Grupo Santander banking group.

And, what's worse, he found the vulnerabilities easily and quickly, which means that knowledgeable attackers can do the same.

The BillPay website, built and maintained by UK-based design agency Headland, has many faults. For one, the site's server is vulnerable to insecure renegotiation, which means that an attacker can inject arbitrary content into encrypted data, and thus perform a Man-In-The-Middle attack.

Secondly, the site's SSL certificate have not been installed correctly.

Thirdly, the HMRC payment gateway hosted under Santanderís BillPay website contains a cross-site scripting (XSS) flaw that can be exploited by attackers to inject arbitrary contect (for example, additional phishing forms to be filled out, etc.).

And finally, when users forget their password, and make a password reset request, they do not receive a new password - they are sent their own via email, in plain text:


As the banking apps offered by the bank are concerned, both the personal and business version are vulnerable to Man-In-The-Middle attacks.

How is that possible?

"When you route traffic through Fiddler [HTTP debugging proxy server app], it creates a fake SSL certificate which a secure browser/application should easily detect," he explains. "Santanderís 'secure' mobile app howeverÖ assumes everything is safe and carries on regardless."

He also pointed out that an attacker doesn't need access to a user's internal network for this exploit to work.

"Iíve probably spent a good hour on this and Iíve barely scraped the surface. No automated tools, just basic manual checks which it failed miserably," he writes. "If Santander have missed the basics, what else have they missed? Letís not forget, they provide a payment gateway for several high-profile web sites."

After having been contacted about all the aforementioned issues, the bank finally solved one - the XSS vulnerability. All others are still present, and put users in danger, so Moore advises users to "avoid Santander like the plague."









Spotlight

Biggest ever cyber security exercise in Europe is underway

Posted on 30 October 2014.  |  More than 200 organisations and 400 cyber-security professionals from 29 European countries are testing their readiness to counter cyber-attacks in a day-long simulation, organised by the European Network and Information Security Agency (ENISA).


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Oct 30th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //