The retail web site for Santander bank has been discovered to be keeping customer passwords in plain text in cookies held while the user is logged in. The discovery was revealed on the Full Disclosure mailing list when an anonymous user posted details of how credit card numbers and other information was stored in session cookies. The H set out to verify whether the claims were correct. One of the cookies referred to, "NewUniversalCookie", attracted attention as it is present at all times when using the Santander site.

According to the report, it is base64 decoded to reveal an XML document which contains a name, alias and userid. In fact, the cookie contains multiple fields; the base64 encoded XML document was just one of them. We found that, in at least one case, upon decoding an account the innocuously named "alias" field in fact contained a plain text version of the user's password.

It also turns out that Santander uses case-insensitive passwords. The password alone is not sufficient to access a Santander account as there is another registration number that needs to be used with it, but the presence of a plain text password does raise questions about the security practices of the bank's online site.

The cookie in question is a session-only cookie and is marked, contrary to the original report, as "Secure" (transmitted over HTTPS only), so it would be difficult to extract unless there was some XSS flaw on the system. The posting on Full Disclosure does, though, point out that such a flaw did exist for over a year on the login page, "before being inadvertently fixed". It also notes that despite being session cookies, the values will be retained in the browsers until the user quits the browser.

We were unable to verify the other element of the report, that credit card numbers are included in a plain text cookie called rinfo, due to the lack of a credit card associated with an account, but the scenario outlined appears to be feasible as the reported cookie value records which credit card the user selected to use.

The H has contacted Santander in the UK for comment and will report on what response we receive.

Update (15:00) - A Santander spokesperson told The H: “The data items stored within our cookies, if compromised, would not allow access to our online services on their own and our primary login processes do not rely on cookie data. We review the use of our cookies and the data contained within them, and if necessary will review the IDs used by our customers to limit any future risks. We take the security of our customer data very seriously. Customers can change their IDs at any time themselves and are reminded not to use the ‘remember me’ function on public or shared computers.”

(djwm)