lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0609271647420.2095@loki.ct.heise.de>
Date: Wed, 27 Sep 2006 16:54:37 +0200 (CEST)
From: Juergen Schmidt <ju@...sec.de>
To: full-disclosure@...ts.grok.org.uk
Subject: Major UK Bank Web Sites With Serious Security
	Flaws

Major UK Bank Web Sites With Serious Security Flaws

Tests conducted by heise Security show that the online
banking web sites of eight major UK Banks are
vulnerable to long known security issues.

NatWest, Cahoot, Bank of Scotland, Bank of Ireland,
First Direct and Link use frames on their web
sites. This means that customers of those banks using
Internet Explorer, in the default configuration, are
vulnerable to frame spoofing attacks. This issue has
been known since 1998.  Incidentally, the same kind of
attack works (mis)using the site of 'The Dedicated
Cheque and Plastic Crime Unit', a bank sponsored police
force.

UBS and the Bank of England are vulnerable to very
simple cross site scripting attacks.

All vulnerabilties could be used by attackers to mount
advanced phishing attacks, using the context of the
original banking site. The user still sees a valid
certificate and the correct address in the address bar.

heise Security has informed all eight banks and has set
up demos that illustrate these problems. Three banks
have already reacted and changed their sites. Nat West
removed the name of the frame, so that simple attacks
no longer work. However the frame can still be
addressed and modified using JavaScript. Bank of
England updated their vulnerable application to filter
user input. UBS changed their online banking
application twice, but is still not filtering user
input sufficiently.

You can find more details and concrete, working
demonstrations of the security problems in the article
"You can't bank on security" on
http://www.heise-security.co.uk/articles/76590

bye, ju

--
Juergen Schmidt
editor-in-chief
heise Security



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ