Deplorable security flaws in Santander UK banking apps and site

When banks urge customers to use their mobile banking apps and sites for making online payments, users usually assume these methods are secure and do so.

But Paul Moore, a UK-based security researcher, has discovered that it’s definitely not the case with the site and mobile app of Santander UK, a subsidiary of the widespread Grupo Santander banking group.

And, what’s worse, he found the vulnerabilities easily and quickly, which means that knowledgeable attackers can do the same.

The BillPay website, built and maintained by UK-based design agency Headland, has many faults. For one, the site’s server is vulnerable to insecure renegotiation, which means that an attacker can inject arbitrary content into encrypted data, and thus perform a Man-In-The-Middle attack.

Secondly, the site’s SSL certificate have not been installed correctly.

Thirdly, the HMRC payment gateway hosted under Santander’s BillPay website contains a cross-site scripting (XSS) flaw that can be exploited by attackers to inject arbitrary contect (for example, additional phishing forms to be filled out, etc.).

And finally, when users forget their password, and make a password reset request, they do not receive a new password – they are sent their own via email, in plain text:

As the banking apps offered by the bank are concerned, both the personal and business version are vulnerable to Man-In-The-Middle attacks.

How is that possible?

“When you route traffic through Fiddler [HTTP debugging proxy server app], it creates a fake SSL certificate which a secure browser/application should easily detect,” he explains. “Santander’s ‘secure’ mobile app however-¦ assumes everything is safe and carries on regardless.”

He also pointed out that an attacker doesn’t need access to a user’s internal network for this exploit to work.

“I’ve probably spent a good hour on this and I’ve barely scraped the surface. No automated tools, just basic manual checks which it failed miserably,” he writes. “If Santander have missed the basics, what else have they missed? Let’s not forget, they provide a payment gateway for several high-profile web sites.”

After having been contacted about all the aforementioned issues, the bank finally solved one – the XSS vulnerability. All others are still present, and put users in danger, so Moore advises users to “avoid Santander like the plague.”

Don't miss