In Mexico it’s possible to send bank statements via standard email, anyhow the law requires that certain security mechanisms are in place so any unauthorized party is unable to read it. The user must provide a password in order to read the bank statement.
Most banks in Mexico use a password protected ZIP file or a password protected PDF in order to obey the law. One particular bank took a different approach and used an HTML file to achieve the same job. In this presentation, I analyze, from a security standpoint, the behaviour of such new bank statement, a vulnerability that I found (and has been fixed) and I end the presentation with an explanation and a demo on how such vulnerability could be exploited to view a bank statement without knowledge of the password.