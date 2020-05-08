Santander is the 5th largest bank in Europe and the 16th in the world, with a market capitalization of 33,000 million euros on the Spanish stock market. The entity has different subsidiaries around the world, and the one that has been affected by the security breach is the Belgian subsidiary call Santander Consumer Bank, which had a misconfigured domain so that the files stored on it could be indexed.

The ruling affected a company blog, not the bank portal

The researchers analyzed the files they could access, and found sensitive information, including a SQL database and a JSON that would allow an attacker to perform modifications on the web and subsequently launch phishing attacks. Therefore, they immediately contacted the bank on April 15. Subsequently, they resolved the fault, and 24 confirmed that they had resolved it. On April 27, Cybernews checked to see if the data was accessible, but access had indeed already been blocked.

The affected domain is the blog of the Santander Consumer Bank Belgium, which only has public information and articles, so they affirm that there have been no sensitive customer data or critical information that has been exposed.

CyberNews was able to access the files because the blog had the Cloudfront API keys in an info.json file. Cloudfront is a CDN created by Amazon, and they are used to host large files and to better size capacity. However, these keys, in the hands of an attacker, would allow him to change the content hosted in Cloudfront by any other, so that when users visit the page, they will download files controlled by the hacker.

Santander affirms that there has been no leak of personal data

For example, if there is a file hosted with an account number, an attacker could exchange it for one that put their account number on it and receive money that people think they are sending to the bank. In turn, it could also host an HTML file that completely replaces a website to steal a user’s credentials when they enter them in any form.

Fortunately, it seems that no attacker has exploited the vulnerabilities present on the blog. If discovered, the failure could have generated a phishing wave with emails posing as the bank and using the company’s real domains, even though those domains belonged to the blog and not to the bank’s login page. .