lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031221171821.11413.qmail@sf-www3-symnsj.securityfocus.com>
Date: 21 Dec 2003 17:18:21 -0000
From: Mark Peterson <apalamen@...global.net>
To: bugtraq@...urityfocus.com
Subject: An undetectable Online Bank Vulnerability?




December 20, 2003

RE: Banking/eCommerce Basic Vulnerability - Undetectable

Due to the well-known documented ability of XSS/CSS capabilities and the proliferation of 3rd-party web-services, can anyone confirm the following:

If an Online Bank utilizes 3rd-party webservices (javascript/.JS) via either web-analytic measurements or a banner-ad server - Is there not indeed a theoretical backdoor to the client-side browser if this 3rd-party webservice/webserver was compromised with malicious code?

All one has to do is attack the server that is providing the commercial webservice and in theory, one would have complete control over the consumer's webbrowser (client-side browser), without detection from an Online Bank - or internal security intrusion detection from the Bank itself.

Is this not correct?

Behind closed doors, I have confirmation of this independently.  Although no one in public seems to be willing to formally acknowledge these basic vulnerabilities in Online Banking.

I have a list of Banks that currently utilize webservices from another 3rd-party.

I have searched the entire Internet for anyone else who may have reported this obvious vulnerability to an online bank.  What I haven't found is a technical solution to it, nor dissemination on the basics of just how vulnerable online banking is to consumers.

Can anyone debate me publicly on this on grounds of the technical merits of this Online Banking Security issue? Without throwing accusations around?

I am a writer, and wanted to address the fact that there is a theoretical backdoor, that could escape detection from Intrusion Countermeasures - because this theory is made up of the following:

1) Find a COMMERCIAL WEBSITE with 3rd-party services running on it.
2) Attack the weakest part - the company providing webservices to this website.
3) Compromise the code on the server that is providing it to the COMMERCIAL WEBSITE.
4) This compromised code could in theory launch a new Popup() window or new browser session mimicking the entire content of the COMMERCIAL WEBSITE.
5) This technique bypasses the COMMERCIAL WEBSITE's SERVER and INTRUSION DETECTION capability, by launching straight into the users client-browser session (client-side).

In theory would this not be a Backdoor to Online Banking/Commerce?  It is also undetectable because of its client-side orientation, is this not also correct?

Obvious solutions: Remove 3rd-party webservices from sensitive websites.  Inform customers to disable Javascript or Mobile Code.

Any comments would be appreciated.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ