Our new research recently discovered a security issue with Santander, the 5th largest bank in Europe and the 16th largest in the world. This Spanish multinational bank controls approximately $1.4 trillion in total assets globally, and has a $69.9 billion total market capitalization on the Euro Stoxx 50 stock market index.
Our analysts found that the Belgian branch, Santander Consumer Bank, has a misconfiguration in its blog domain, allowing its files to be indexed.
When we looked through these files, we were able to see sensitive information, including an SQL dump and JSON file that can be used by hackers to potentially phish Santander’s bank customers.
We contacted Santander immediately when we discovered the misconfiguration on April 15. Representatives from the leading European bank responded to our emails and seem to have fixed the issue, as we are presently unable to access the information.
A Santander Consumer spokesperson said:
“The incident highlighted relates specifically to the Santander Consumer Bank Belgium blog only. The blog contains only public information and articles, and therefore no customer data or critical information from the blog has been compromised. Our security team has already fixed the issue to ensure the blog is secure.”
What exactly is wrong with the Santander website?
When we visited the Santander blog on its Belgian domain, we noticed that the www endpoint of the blog subdomain had a misconfiguration that allowed all of its files to be indexed by search engines
Included in these indexed files was an important info.json file that seemed to contain its Cloudfront API keys.
Cloudfront is a Content Display Network (CDN) created by Amazon. Websites use CDNs to host large files, such as videos, PDFs, large images and other static content, that would normally slow down their own websites. Because these large files are hosted on the CDNs instead, websites are faster for users.
If a hacker were to get a hold of Santander’s apparent Cloudfront API keys, they would be able to switch out the content hosted on Cloudfront with any other content.
For example, if a PDF or Word document was hosted on Cloudfront, and this document contained sensitive information – such as what accounts a customer should send money to – then the hacker would be able to switch that document out with their own version. In that way, they’d be able to change the real account number to his own, and thereby steal the customer’s money.
If a static HTML file was hosted, then the hacker would be able to switch that out with an entire webpage, allowing them to create a phishing page to steal the user’s financial information, all while on Santander’s official Belgian domain.
How to protect yourself
On April 15, we notified Santander’s Belgian website of the misconfiguration, and on April 24 they responded and seem to have fixed the issue. Their CyberSecurity Team stated: “We take cyber security seriously and strive to maintain the highest security standards and best practices and welcome responsible disclosure attitudes in security researchers.”
When we checked for the misconfiguration again on April 27, we received the following message:
You don't have permission to access this resource.
For Santander’s customers, as well as all other banking customers, we’d recommend that you always check the domain and subdomain that a suspicious bank email is sending you to. Make sure that the domain is the bank’s real domain, but also know that important financial information requests would never be hosted on the blog subdomain of a bank.
Editor's note: this article was updated on May 19 to reflect new information in collaboration with BitSight that the keys may not have been active Cloudfront API keys at the time of our discovery.