lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050419231209.GA23220@barillari.org>
Date: Tue, 19 Apr 2005 19:12:09 -0400
From: Joseph Barillari <bugtraq@...illari.org>
To: dramatools <avernon@...matools.net>
Cc: bugtraq@...urityfocus.com, webinfo@...italone.com
Subject: Re: Capital One's website inadvertently assists phishing


On Tue, Apr 19, 2005 at 05:30:28PM -0500, dramatools wrote:
> However, I clicked your "proof of concept" link and found that the
> redirector did not send me to Wikipedia as expected, but Capital One's
> home page.  Perhaps one of their security people is lurking on bugtraq
> and attempted to fix the problem on the spot.  I'll keep monitoring this
> one.

Looks like full disclosure worked. Thanks!

http://barillari.org/blog/computers/internet/conephishing-updated.html 

Timeline (should be mostly complete):

|13 Apr 01:28:45 -0400|Phishing email exploiting unchecked redirect arrives|
|13 Apr 01:54:51 -0400|Emailed webinfo@...italone.com to report it|
|13 Apr 01:53:00 -0400|Blog post "posted":http://barillari.org/blog/computers/internet/conephishing.html|
|13 Apr 16:29:45 -0400|Inform Capital One of my intention to post to "bugtraq":http://securityfocus.org/archive/1 in 24 hours|
|13 Apr 16:31:11 -0400|Capital One form letter arrives:  "this [phishing] email has not compromised Capital One's systems in any way,"|
|13 Apr 16:44:42 -0400|Reply to Capital One form letter: "this email _has_ taken advantage of a compromised Capital One system: Capital One's website redirects URLs without checking them....please see the note about bugtraq below"|
|13 Apr 16:47:15 -0400|Another form letter: "A Capital One representative will respond to your e-mail inquiry, usually within 24 - 48 hours. Please note, due to high email volumes, this timeframe may be extended to up to 72 hours". I wonder if saying "bugtraq" provokes this response.|
|19 Apr 16:32:15 -0400|Four business days later (well beyond 72h), redirect is still unchecked. "Post":http://www.securityfocus.com/archive/1/396255 bug to bugtraq and cc Capital One|
|19 Apr 16:53:46 -0400|Reply to Capital One (signed by a human?) form letter:  "the point is that the phishing email _has_ exploited a flaw in Capital One's systems. Your website permits unchecked redirects. This makes a phisher's job much, much easier.|
|19 Apr 18:01:00 -0400|A bugtraq subscriber tells me that he's emailed abuse@...italone.com (I should have thought of that)|
|19 Apr 14:27:05 -0800|<b>Another bugtraq subscriber tells me that it's fixed.</b> Checked myself --- apparently, it is.|
|19 Apr 18:55:38 -0400|Send email to webinfo@, thanking them for fixing the unchecked redirect.|



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ