lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <0A1C2634-0A9F-4879-83E2-AECC63322E34@kirps.com>
Date: Thu, 25 Jan 2007 21:09:36 +0100
From: Jos Kirps <jos@...ps.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	security-basics@...urityfocus.com
Subject: Dexia website security alert

A few days ago I sent a mail to the Dexia bank (www.dexia.lu) about  
their
website.

They have two logins, one is for the online banking account and one  
is for some
kind of members' area. The problem with the "members' login" was that  
a) it was
not SSL encrypted and b) it used to send bad usernames and passwords in
clear text back to the browser.

So here's the critical point: If you wanted to use your online  
banking but
selected the wrong login by mistake your (correct) username and  
password were
refused (still ok), sent back to the browser in clear text and stored  
in the
browser cache (well...).

I sent them the info via mail (see below), they replied using a  
standard "thank
you for your mail" answer and 24 hours later the login was changed.  
But I didn't
get any further feedback so I mailed them again to get some kind of  
statement,
but they simply replied that "The risk, that you evoked, is really  
weak" aso.

So, after all, they seem to think that this was just "peanuts" and  
not worth
talking about. I, on the other hand, think that this was more than  
critical and
that there could still be passwords stored out there in browser caches.

So what do you think about this?
Has anyone any experience with banks?

Best regards
Jos Kirps

===== the original mail =====

To: contact@...ia-bil.lu, technique@...ia-bil.lu
From: Jos Kirps <jos@...ps.com>
Subject: Dexia website security alert
Date: Tue, 23 Jan 2007 08:39:36 +0100

synopsis:
dexia website member access uses a crappy login that allows to
retrieve member usernames or passwords an eventually even bank
account usernames and passwords.

url:
<http://www.dexia-bil.lu/webquotes/index1.asp?=20
h=3D1&lang=3Den&menu=3Donl&href=3Dprofil_logon2.asp?lang=3Den>

description:
there are two basic problems with this page: a) there is no ssl
encryption and b) if you enter a bad username or password both
username and password are returned in cleartext to the browser. so
everyone can read them on the page source or retrieve them from
the browser cache (tested, works fine).

i think another huge problem is related to the design of the site
entrance page itself - there is a "dexiaplus login" for account holders
and a "members' login" (which is the weak one described above). now
if you are an account holder an chose "members' login" instead of
"dexiaplus login" by mistake (and i think this could definately happen)
and enter your bank account username and password here you'll get
an "access denied" - which is perfectly okay, but - and this is the =20
*really
bad* news - your bank account username and password will be
returned in clear text by the dexia server, and hence stored in your
browser cache where they can easily be retrieved by anyone who
has access to your computer (if it hasn't already been captured via
the network before...).

solutions / suggestions:
ssl encryption on the members' login page, and never return password
field contents in clear text to the browser (especially if you're a =20
bank :-).

note:
even if you get the bank account username and password you'll still
need a TAN code to access an account, so this doesn't give you direct
access to someones online bank account. but it definately gets you *a
lot* closer!!!

finally:
please reply, fix & credit within the usual timeframes.
will be posted on bugtraq afterwards....

don't hesitate to contact me if you have further questions

best regards
jos kirps



------------------------------------------------------
Jos Kirps
-----------------------------------------------------
14, Cité op Gewännchen
4383 Ehlerange
Luxembourg
-----------------------------------------------------
jos@...ps.com
http://www.kirps.com
-----------------------------------------------------
joskirps@...glemail.com
http://sourceforge.net/users/joskirps
skype: joskirps, jos@...ps.com
-----------------------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ