XSS Harlem Shake

DongIT security researchers find vulnerabilities on ten Dutch banks

Researchers DongIT find vulnerabilities on ten large Dutch banking websites

Security researchers of DongIT found cross-site scripting vulnerabilities on the primary domain of ten Dutch banking websites, including ING, Rabobank, and ABN Amro. These vulnerabilities allow malevolent attackers to inject fake forms into banking websites. The problems are currently solved after DongIT informed the concerned banks.

Besides ING, Rabobank, and ABN Amro, the websites of Binck, Alex, ASN, Knab, SNS, Triodos, and the Belgian Van Lanschot-site showed vulnerability to cross-site scripting, according to researcher Wouter van Dongen from DongIT in correspondence with NU.nl. He said most of these vulnerabilities were found in Flash files in an interview with Tweakers. Other articles were published on this matter by RadarTV of the Dutch Public Broadcast and the magazine Computer Idee, which can be downloaded below.

Download the full article on Computer Idee (in Dutch).

The cross-site scripting vulnerabilities were found on the main domains of the banking websites. An attacker could have exploited this problem by injecting their code into the website. However, it would require potential victims to get seduced to click on the wrong link. The technique could, for example, be used in phishing emails. Users are warned to check the URL of the website. The URL would be correct, while the attackers could inject their code.

Van Dongen made a proof of concept whereby HTML elements on the banking websites began to shake (see video below). “I deliberately did not add any fake forms on the website”, Van Dongen quoted. Currently, all banks have taken action on the security issue.

In response to the findings by DongIT at ten banks, Dutch Members of Parliament Nijboer and Oosenbrug asked parliamentary questions about this topic to minister Dijsselbloem. The official announcement of the Lower House of Parliament can be downloaded below.

Download the official announcement of the Lower House of Parliament (in Dutch).