Tinkoff Bank compromised customer account statements?
Recently, Tinkoff Bank's customers discovered an interesting fact - the bank posted statements with information on the movement of money on customer accounts on its website for a direct link. Is this an oversight of information security specialists and a violation of bank secrecy or a regular PR move known for his tricks of Oleg Tinkoff?
Every month, each client of Tinkoff Bank receives an extract from the e-mail - this is a nice letter with a pdf-file attached to it with information on the movement of money through the accounts.
Example of nested statement:
')
At the end of July, the layout of the letter has changed a little, now the bank has decided not to attach the file with the statement, but to limit it to only the link.
Everything would be fine, but the link leads directly to the bank's website - https://www.tinkoff.ru at the page at:
www.tinkoff.ru/statement/?ticket=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Some moments:
When loading a magic page, the download of a particular client’s statement automatically begins.
Bank employees commented on the situation as follows:
UPD : If you look at the code page with the statement, you can find the built-in widgets:
- Twitter
- Facebook
- Youtube
- Google+
- Instagram
If to get an extract it is enough to know only the address of the page, then the technical personnel of these services already has access to confidential data of bank customers.
UPD 2: problem with robots.txt
Habravchane in the comments noticed that the link in the e-mail leads to the domain click.email.tinkoff.ru, where robots.txt is empty .
The statement itself (pdf document) is downloaded from www.tinkoff.ru/api/v1/statement_file - which is not closed in robots.txt.
The question arises:
Every month, each client of Tinkoff Bank receives an extract from the e-mail - this is a nice letter with a pdf-file attached to it with information on the movement of money through the accounts.
Example of nested statement:
')
At the end of July, the layout of the letter has changed a little, now the bank has decided not to attach the file with the statement, but to limit it to only the link.
Everything would be fine, but the link leads directly to the bank's website - https://www.tinkoff.ru at the page at:
www.tinkoff.ru/statement/?ticket=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Some moments:
- In the link, no parameters are passed except for the 64-digit id ticket.
- The link can be accessed from any ip address.
- To access the page by reference, you do not need to log in to your account on the bank’s website.
When loading a magic page, the download of a particular client’s statement automatically begins.
Bank employees commented on the situation as follows:
UPD : If you look at the code page with the statement, you can find the built-in widgets:
- Youtube
- Google+
If to get an extract it is enough to know only the address of the page, then the technical personnel of these services already has access to confidential data of bank customers.
UPD 2: problem with robots.txt
Habravchane in the comments noticed that the link in the e-mail leads to the domain click.email.tinkoff.ru, where robots.txt is empty .
The statement itself (pdf document) is downloaded from www.tinkoff.ru/api/v1/statement_file - which is not closed in robots.txt.
The question arises:
Source: https://habr.com/ru/post/265365/
All Articles