Case #5: Tell me your bank account no. and I'll tell you how rich you are

I'm sure you expect your bank accounts to be safe from prying eyes. For a while other customers knowing my bank account number could check my account balance.

Published: Mon, September 11, 2017, 07:00
Security Monday
Information leak
Bank account
OWASP 2013 A7

tl;dr 🔗

The Norwegian bank Skandiabanken leaked the balance of other customers' bank accounts. I also question parts of their session handling.

Summary 🔗

Who: Skandiabanken
Severity level: High
Reported: September 2017
Reception and handling: Very good
Status: Fixed
Reward: A big thank you
Issue: Information leak with other customers' bank account balances and account names

Background 🔗

Skandiabanken - soon to be called Sbanken - is a fairly large bank in Norway with its more than 400,000 customers. It was Norway's first pure online bank when it started in 2000. I have been a customer since that first time and all along from the start it's been my favourite bank.

This summer a regulation for personal savings accounts for shares was approved. From September 1st 2017 it was possible to move shares and funds into this new type of account. The timing meant that all banks in Norway suddenly were in a hurry for getting the product ready.

The morning of the opening of the new account type I was logged in to create one for myself. I noticed that there was a few missing text translations and some places where it said undefined in the user interface. This new part of the bank wasn't all bug free yet.

Approach (technical stuff) 🔗

I opened Vivaldi developer tools when logged in, to see what was going on in regards of network calls. I was surprised to see that one of the presumably new Ajax calls contained one of my bank account numbers. I could be wrong, but I think it's atypical for them to use that ID when asking for data from the backend. That of course doesn't mean anything, but I got curious and wondered if my data was properly secured.

The Ajax call returned JSON with the balance and some other data about the bank account in question. I asked a friend for a bank account number and permission to check if I could get any of his data returned. And indeed I got his data.

Security issue 🔗

Knowing just the bank account number of another customer one would get these data:

  • Some UUID of the bank account
  • Customer's own name of the account
  • The account's bank balance
  • The account's book balance

Reception and handling 🔗

Day zero 🔗

I notified the bank and they immediately responded and started checking out the issue.

Just hours later they had rolled out a fix for the problem. This must be the quickest fix I have ever seen for a security issue.

Later the same I day I was phoned up by one of the chiefs who thanked me and told me they were grateful for that I found and reported the issue.

Day 4 - incorrectly reporting a second issue... 🔗

I had left my browser logged into this new part of the bank called "Min sparing" ("My savings"). When I returned to the computer quite a bit later I noticed that I was still logged in. And I noticed that I could close and open my browser and still be logged in to this part of the bank. Going to other parts of the bank would log me out from everything.

I reported this by e-mail, but just after that I learned that this part of the bank has 9 hours session time and not 20 minutes as most parts of the bank. I felt a bit embarrassed for reporting a non-issue and wasting their time.

Day 5 - ...or was I into something? 🔗

The next morning I realized something. Though this "My savings" session time was intentionally high, Skandiabanken offers simultaneous logins, and logging out from one session doesn't invalidate any others. This means that if you are able to get access to a computer where the user forgot to log out after accessing "My savings" in the last hours you can get hold of the cookies and keep the session alive by only calling the server once in a while.

What's more is that you can do this call from any location. You don't have to use the same computer or IP address. The "My savings" page gives a pretty good glance into your economy (like shares, funds and some transactions), and using the mentioned Ajax call you can could also use the same cookie to access the balance of other known account numbers for that logged in user. Hopefully the session can't be kept alive forever without signing in again. While testing I had this one session alive for more than 36 hours (while changing locations and having other devices logged in and out).

Skandiabanken replied and told me that this session handling is a feature and not a bug. They want a long session time, and they don't want to restrict the session to IP addresses because of mobile clients.

Day 5 - new webapp deployed 🔗

Skandiabanken seems to have removed the bank account number from the Ajax call, making it always return the balance of the payment account for funds and making the "My savings" page only getting savings related data. I would say that's a step in right direction. The 9 hours session time seems to stay the same.

Conclusion 🔗

As far as I know the security hole with balance access was introduced that morning and was only in the wild less than a day. I have worked with online banking as an IT consultant and know how seriously security is taken in that industry. I was pleased - but not surprised - to see how seriously and professionally Skandiabanken handled everything.

I feel confident that this issue would've been discovered relatively quickly by the bank itself hadn't I reported it. However, for me online banking is one of those services that just need to always be secure and never leak information like this.

What makes me a bit uneasy is the session handling feature/issue where someone could be watching my economy with a logged in session that I'm unaware of.

Please remember to always hit that Log out button.

Get notified when there are new posts! :-)