Back in 2014 I found a serious XSS vulnerability at Santander Totta Portal. This flaw allowed attackers to create high phishing schemes and highjack bank accounts.
At the time of reporting this issue, Santander Totta ignored the problem, for months, after Portuguese social media confront them with this situation. Exame Informatica and Visão published articles calling their attention for the problem that was fixed right after.
Today I fully disclose this situation, as it won’t bring any problems to the bank, as they changed their platform.
This is a lesson to all the companies who receive free reports every day. Do not ignore the reports you receive from researchers. They dedicate their free time to protect the internet at no cost. If you don’t know what to do, reply to them and ask for help, they will certainly redirect you to competent services.
You can watch this vulnerability being exploited on the video bellow. Sorry for the bad quality.