Scotiabank slammed for 'muppet-grade security' after internal source code and credentials spill onto open internet

Blueprints for mobile apps, databases exposed in public GitHub repos

A Scotiabank card

Exclusive Scotiabank leaked online a trove of its internal source code, as well as some of its private login keys to backend systems, The Register can reveal.

Over the past 24 hours, the Canadian financial giant has torn down GitHub repositories, inadvertently left open to the public, that contained this sensitive information, after The Register raised the alarm. These repositories featured, among other things, software blueprints and access keys for a foreign exchange rate system, mobile application code, and login credentials for services and database instances: a potential gold mine of vulnerabilities for criminals and hackers to exploit.

We were tipped off to the security blunder by Jason Coulls, an IT pro based in the Great White North, who discovered the data sitting out in the open, some of which was exposed for months, we're told. As well as Scotiabank, GitHub, and payment and card processors integrated with the bank, were also alerted prior to publication.

By the time you read this, the GitHub repositories, which presumably were accidentally misconfigured by Scotiabank's techies, should be hidden or removed. Below is a screenshot we were able to take of some of the leaked source code.

Sample of the exposed GitHub code

Code red ... The insides of Scotiabank's 'digital payments dashboard' system

A spokesperson for Scotiabank was not able to comment on the screw-up at the time of writing, though they acknowledged its security team is probing the matter.

Among the hundreds of files of documentation and code, which appear to have been created by developers working on versions of Scotiabank's mobile apps for Central and South America, were credentials and keys to access some of the bank's backend systems and services dotted around the world. Among the more sensitive blueprints was code and login details for what appeared to be an SQL database system of foreign exchange rates.

"They have a foreign exchange (FX) rate SQL Server database that has had its credentials and public-private keys in the open for months," Coulls told El Reg. "Knowing that there is a known potential for someone to tweak FX rate data, the integrity of the bank is diminished accordingly."

The substantial code collection also included source for integrating the bank's systems with payment services, including Samsung and Google Pay as well as US credit-card processors Visa and Mastercard, and others.

Ta-ta, security: Bungling Tata devs leaked banks' code on public GitHub repo, says IT bloke

READ MORE

Having such a vast library of digital blueprints on the public internet may have left Scotiabank and its 25 million-plus customers wide open to attack, should the code be analyzed and found to be exploitable. Bear in mind, back in 2017, Coulls discovered that the Canadian giant's digital banking unit, supposedly its high-tech offshoot, was not only using security certificates that had expired five months prior, but much of its code had not been thoroughly audited or debugged, it seemed.

According to Coulls, this latest gaffe isn't the first time Scotiabank has spilled its internal secrets online.

"In my experience, this muppet-grade security is perfectly normal for Scotiabank, as they usually leak information once every three weeks on average," Coulls mused.

"Scotiabank had [IBM] AS/400 and DB2 instances where the credentials and connection information is public. They regularly leak source code for everything, from customer-facing mobile apps to server-side REST APIs. They also leak customer data. If they ever claimed that security is a top priority, I would dread to see how they handle low priority things."

We'll let you know if Scotiabank has any further comment. ®

Sponsored: Beyond the Data Frontier

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER




Biting the hand that feeds IT © 1998–2019