How Sberbank Online Merges User Data
Due to the fact that I was unable to contact Sberbank, more precisely - I want to share with someone sane from the other side, so that if I did not fix the data leak, then at least warn about it.
More recently, I accidentally discovered that Sberbank Online was thickly stuck with counters. This is Google, Doubleclick, Rutarget, YaMetrika. Once again, in a private office where people transfer money, enter very personal information, etc., in this personal account there are scripts that Sberbank does not belong to at all, but belong not to our companies, for example. Let's see what comes out of this (slides and video below).
I discovered this stuff completely by accident, because I don’t use banner cutters and I disdain because of the glitches they create. Now, I strongly recommend that before correcting the situation, the cutter should be included at least on the Sberonline website, although there were glitches with it, with the cutter turned on, personally for me.
Banner cutter blocks part of malware.
')
I wrote on zabota @ Sberu and in FB. I can not stand to call, sorry. FB received a great response.
I was not even offended, just recorded the video.
On the left is the Sberbank Online site, on the right is my computer 20km from the place where I am sitting. When typing any text, including a password, the data goes to a log on my computer. I did not want to bother, because everything took less time than I write this article.
The essence of what is happening in the following:
1) Scripts can be used to collect any information about payments, maps, passwords and other entered and displayed data.
2) The scripts may not belong to those hosts from which they were originally intended to be taken (in the video above, I changed one of the scripts to my own), since the security assessment is shifted to the user's browser, which is an extremely insecure thing.
3) Scripts can be used to substitute the input information.
In the video, I showed only duplication of a password. Just because I do not want to log into my account publicly.
It all started with my forum , but, unfortunately, it did not give any result.
More recently, I accidentally discovered that Sberbank Online was thickly stuck with counters. This is Google, Doubleclick, Rutarget, YaMetrika. Once again, in a private office where people transfer money, enter very personal information, etc., in this personal account there are scripts that Sberbank does not belong to at all, but belong not to our companies, for example. Let's see what comes out of this (slides and video below).
I discovered this stuff completely by accident, because I don’t use banner cutters and I disdain because of the glitches they create. Now, I strongly recommend that before correcting the situation, the cutter should be included at least on the Sberonline website, although there were glitches with it, with the cutter turned on, personally for me.
Banner cutter blocks part of malware.
')
I wrote on zabota @ Sberu and in FB. I can not stand to call, sorry. FB received a great response.
I was not even offended, just recorded the video.
On the left is the Sberbank Online site, on the right is my computer 20km from the place where I am sitting. When typing any text, including a password, the data goes to a log on my computer. I did not want to bother, because everything took less time than I write this article.
The essence of what is happening in the following:
1) Scripts can be used to collect any information about payments, maps, passwords and other entered and displayed data.
2) The scripts may not belong to those hosts from which they were originally intended to be taken (in the video above, I changed one of the scripts to my own), since the security assessment is shifted to the user's browser, which is an extremely insecure thing.
3) Scripts can be used to substitute the input information.
In the video, I showed only duplication of a password. Just because I do not want to log into my account publicly.
It all started with my forum , but, unfortunately, it did not give any result.
Source: https://habr.com/ru/post/357352/
All Articles