This story was originally published on HackerNoon at:
https://hackernoon.com/critical-vulnerability-in-swedish-bankid-exposes-user-data.
A common misconfiguration found in services integrating BankID, allows attackers to take over victim's accounts exploiting a Session Fixation bug
Check more stories related to cybersecurity at:
https://hackernoon.com/c/cybersecurity.
You can also check exclusive content about
#bugbounty,
#account-takeover,
#digital-identity,
#session-fixation-attack,
#swedish-bankid-vulnerability,
#eid-security-research,
#secure-authentication,
#hackernoon-top-story, and more.
This story was written by:
@mastersplinter. Learn more about this writer by checking
@mastersplinter's about page,
and for more stories, please visit
hackernoon.com.
When a service uses BankID to authenticate their users it is common for them to incorrectly implement some security features of the protocol which leaves them exposed to a Session Fixation CWE-384 vulnerability which can be used by an attacker to hijack a victim’s session on that service. Depending on the amount of access the attacker has after exploiting this vulnerability, the severity of such security flaw ranges between High and Critical