Researchers DongIT find vulnerabilities at ten large Dutch banking websites
Security researchers of DongIT found cross-site scripting vulnerabilities on the main domain of ten Dutch banking websites, including ING, Rabobank and ABN Amro. These vulnerabilities allow malevolent attackers to inject fake forms into the banking websites. The problems are currently solved, after DongIT informed the concerning banks.
Besides ING, Rabobank and ABN Amro, the websites of Binck, Alex, ASN, Knab, SNS, Triodos and the Belgian Van Lanschot-site showed vulnerability to cross-site scripting, according to researcher Wouter van Dongen from DongIT in correspondence with NU.nl. For the most part these vulnerabilities were found in Flash-files, he said in an interview with Tweakers. Other articles were published on this matter by RadarTV of the Dutch Public Broadcast and by the magazine Computer Idee, which can be downloaded below.
The cross-site scripting vulnerabilities were found on the main domains of the banking websites. An attacker could have exploited this problem by injecting own code in the website. However it would require potential victims to get seduced to click on a wrong link. The technique could for example be used in phishing-mails. Users are warned to check the url of the website. The url would be correct, while the attackers could inject their own code.
Van Dongen made a proof of concept whereby html-elements on the banking websites begin to shake (see video below). “I deliberately did not add any fake forms on the website”, Van Dongen quoted. Currently, all banks have taken action on the security issue.
In response to the findings by DongIT at ten banks, Dutch Members of Parliament Nijboer and Oosenbrug asked parliamentary questions about this topic to minister Dijsselbloem. The official announcement of the Lower House of Parliament can be downloaded below.