[German]At the Belgian subsidiary of the Spanish Santander bank, a misconfigured web server enabled the indexing of the stored files. When inspecting this data, security researchers from Cybernews came across sensitive material in the form of SQL dumps and JSON files. An API key would have allowed certain files in a CDN to be exchanged.
The Spanish Santander Bank is the fifth largest bank in Europe. Santander branches exist in several European countries. The multinational bank controls total assets of around $1.4 trillion worldwide and has a total market capitalisation of $69.9 billion in the Euro Stoxx 50 stock market index. And there was a security incident that probably ended up being minor. I was already informed of the incident by e-mail at the beginning of the week. Cybernews documented it in a blog post.
A misconfigured web server in Belgium
Security researchers from Cybernews have discovered a potential security incident from the Santander Bank in Belgium while searching the Internet. The analysts found that the Belgian branch, Santander Consumer Bank, had a misconfiguration in its blog domain that allowed its files to be indexed.
The security researchers used this opportunity to look through these files. They discovered sensitive information, including an SQL dump and a JSON file. Within these indexed files was an info.json file that contained the Cloudfront API key for this Santander blog.
Cloudfront is a Content Display Network (CDN) from Amazon. Websites use CDNs to deliver large files such as videos, PDFs, large images, and other static content to clients. This is to prevent websites from slowing down.
Anyone having Santander's Cloudfront API keys could exchange content hosted in the cloudfront cdn. This could range from exchanging documents (PDFs, etc.) that contain account numbers for bank transfers to replacing a file for a phishing attack. The latter is particularly perfidious, as the phishers could have operated under the official Belgian domain of Santander and could fish out access data etc. under a deep link.
Bank fixes the misconfiguration
On 15 April, the security researchers informed the webmaster of the Belgian Santander website about the misconfiguration. A reply from the bank was received on 24 April. It's saying
The highlighted incident relates specifically only to the blog of Santander Consumer Bank Belgium. The blog contains only public information and articles, so no customer data or critical information from the blog was compromised. Our security team has already fixed the problem to ensure the security of the blog.
Santander's cyber-security team did not forget to add: "We take cyber-security seriously and strive to maintain the highest security standards and best practices and welcome a responsible disclosure attitude from security researchers".
When the security researchers re-examined the misconfiguration on April 27, 2020, access was denied as expected. The misconfiguration has thus been eliminated. The security researchers recommend that Santander's customers and all other bank customers always check the domain and subdomain linked to in a suspicious mail (allegedly from the bank). Users should make sure that the domain is the real domain of the bank and that the link points to the usual login pages. A bank will never host important requests for financial information on the subdomain of its own website – this should be an alarm signal.
Cookies helps to fund this blog: Cookie settings