Security weaknesses on the Santander Group BillPay website and mobile banking application have been addressed by the financial services organization’s developer Headland after they were exposed less than a week ago.
U.K. consultant Paul Moore of Cresona Corp., reported a number of serious vulnerabilities on the Santander website and mobile application; Santander Group recently acquired Sovereign Bank in the United States and has 718 branches nationwide serving 1.7 million customers. The vulnerabilities included weaknesses in the online app that made it susceptible to man-in-the-middle attacks, denial-of-service attacks and older protocols opening it up to a number of other attacks.
Moore said last Friday that Santander and Headland had resolved all outstanding issues aside from a weak password storage flaw that requires code and database changes by the development agency, he said.
Moore noted a number of problems, most worrisome were improperly installed SSL certificates guaranteeing the encryption and security of online transactions. A vulnerability scan showed that the Web app did not support a number of baseline SSL protocol implementations including secure session renegotiation, TLS compression, Forward Secrecy, Strict Transport Security; it did, however, support the outdated RC4 encryption algorithm that a number of experts have urged organizations to move away from.
Moore also discovered issues with password storage; the app had initiated a maximum length of 50 characters per password, indicating it may not be hashing passwords securely. Moore attempted a password reset, but instead was offered a reminder email in which his password was delivered in plain text.
The site also suffered from a serious cross-site scripting vulnerability on a payment gateway hosted under the BillPay website that allowed attackers to inject content at will, including fake payment forms or other hacks that would lead to a loss of data or funds.
As for the mobile app, Moore said he was able to, using the tool Fiddler, run a man-in-the-middle attack against himself that captured his credentials. The app failed to alert to a phony SSL certificate generated by the Fiddler tool and executed the log-in. The same scenario was true for the Santander Group’s mobile business app.
On the plus side, Moore said Santander Group and Headland resolved the issues within 72 hours of them being reported. The SSL implementation was addressed first with support for RC4 removed. Also, support for insecure renegotiations was removed. Shortly thereafter, those fixes were followed with a resolution of the SSL certificate issues.
“There’s an unnecessary root anchor which will increase handshake latency but from a security standpoint, it’s much safer. Not class-leading, but good enough,” Moore said, adding that the vulnerable mobile apps were still reachable on Google Play. “It should also be noted that Santander have investigated and resolved the vast majority of issues within 72hrs of this article going live. Although it doesn’t allay my concerns completely, it certainly helps restore faith in their approach to security.”