This story was originally published on HackerNoon at: https://hackernoon.com/critical-vulnerability-in-swedish-bankid-exposes-user-data.
A common misconfiguration found in services integrating BankID, allows attackers to take over victim's accounts exploiting a Session Fixation bug
Check more stories related to cybersecurity at: https://hackernoon.com/c/cybersecurity.
You can also check exclusive content about #bugbounty, #account-takeover, #digital-identity, #session-fixation-attack, #swedish-bankid-vulnerability, #eid-security-research, #secure-authentication, #hackernoon-top-story, and more.
This story was written by: @mastersplinter. Learn more about this writer by checking @mastersplinter's about page,
and for more stories, please visit hackernoon.com.
When a service uses BankID to authenticate their users it is common for them to incorrectly implement some security features of the protocol which leaves them exposed to a Session Fixation CWE-384 vulnerability which can be used by an attacker to hijack a victim’s session on that service. Depending on the amount of access the attacker has after exploiting this vulnerability, the severity of such security flaw ranges between High and Critical