Tinkoff Bank compromised customer account statements?
The other day, Tinkoff Bank customers found an interesting fact - the bank posted extracts on the website from its clients on the website via a direct link. Is this an oversight of information security experts and a violation of bank secrecy or another PR move of Oleg Tinkov, famous for his tricks?
Each month, each client of Tinkoff Bank receives an extract by e-mail - this is a nice letter with a pdf-file attached to it with information about the movement of money in accounts.
An example of an attached statement:
At the end of July, the layout of the letter has changed a bit, now the bank decided not to attach the file with the statement to the letter, but limited itself to just a link.
Everything would be fine, but the link leads directly to the bank's website - https://www.tinkoff.ruon the home page at:
www.tinkoff.ru/statement/?ticket=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Some points:
When loading a magic page, downloading of a particular client’s statement automatically starts.
Bank employees commented on this situation:
UPD : If you look at the code of the statement page, you can find the built-in widgets:
- Twitter
- Facebook
- Youtube
- Google+
- Instagram
If you only need to know the page address to receive the statement, then the technical personnel of these services already have access to confidential data of bank customers.
UPD 2: a problem with robots.txt
Khabravchans in the comments noticed that the link in the e-mail leads to the domain click.email.tinkoff.ru, where robots.txt is empty .
The extract itself (pdf document) is downloaded from www.tinkoff.ru/api/v1/statement_file - which is not closed in robots.txt .
The question arises:
Each month, each client of Tinkoff Bank receives an extract by e-mail - this is a nice letter with a pdf-file attached to it with information about the movement of money in accounts.
An example of an attached statement:
At the end of July, the layout of the letter has changed a bit, now the bank decided not to attach the file with the statement to the letter, but limited itself to just a link.
Everything would be fine, but the link leads directly to the bank's website - https://www.tinkoff.ruon the home page at:
www.tinkoff.ru/statement/?ticket=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Some points:
- The link does not pass any parameters except the 64-digit ticket id.
- The link can be accessed from any ip address.
- To access the page via the link, you do not need to log in to your account on the bank’s website.
When loading a magic page, downloading of a particular client’s statement automatically starts.
Bank employees commented on this situation:
UPD : If you look at the code of the statement page, you can find the built-in widgets:
- Youtube
- Google+
If you only need to know the page address to receive the statement, then the technical personnel of these services already have access to confidential data of bank customers.
UPD 2: a problem with robots.txt
Khabravchans in the comments noticed that the link in the e-mail leads to the domain click.email.tinkoff.ru, where robots.txt is empty .
The extract itself (pdf document) is downloaded from www.tinkoff.ru/api/v1/statement_file - which is not closed in robots.txt .
The question arises:
Only registered users can participate in the survey. Please come in.
Could such a decision lead to the massive disclosure of user confidential data?
- 86.9% Yes, and this is a complete nightmare! 1946
- 13% This solution is completely safe 292