lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 25 Jan 2007 21:09:36 +0100 From: Jos Kirps <jos@...ps.com> To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, security-basics@...urityfocus.com Subject: Dexia website security alert A few days ago I sent a mail to the Dexia bank (www.dexia.lu) about their website. They have two logins, one is for the online banking account and one is for some kind of members' area. The problem with the "members' login" was that a) it was not SSL encrypted and b) it used to send bad usernames and passwords in clear text back to the browser. So here's the critical point: If you wanted to use your online banking but selected the wrong login by mistake your (correct) username and password were refused (still ok), sent back to the browser in clear text and stored in the browser cache (well...). I sent them the info via mail (see below), they replied using a standard "thank you for your mail" answer and 24 hours later the login was changed. But I didn't get any further feedback so I mailed them again to get some kind of statement, but they simply replied that "The risk, that you evoked, is really weak" aso. So, after all, they seem to think that this was just "peanuts" and not worth talking about. I, on the other hand, think that this was more than critical and that there could still be passwords stored out there in browser caches. So what do you think about this? Has anyone any experience with banks? Best regards Jos Kirps ===== the original mail ===== To: contact@...ia-bil.lu, technique@...ia-bil.lu From: Jos Kirps <jos@...ps.com> Subject: Dexia website security alert Date: Tue, 23 Jan 2007 08:39:36 +0100 synopsis: dexia website member access uses a crappy login that allows to retrieve member usernames or passwords an eventually even bank account usernames and passwords. url: <http://www.dexia-bil.lu/webquotes/index1.asp?=20 h=3D1&lang=3Den&menu=3Donl&href=3Dprofil_logon2.asp?lang=3Den> description: there are two basic problems with this page: a) there is no ssl encryption and b) if you enter a bad username or password both username and password are returned in cleartext to the browser. so everyone can read them on the page source or retrieve them from the browser cache (tested, works fine). i think another huge problem is related to the design of the site entrance page itself - there is a "dexiaplus login" for account holders and a "members' login" (which is the weak one described above). now if you are an account holder an chose "members' login" instead of "dexiaplus login" by mistake (and i think this could definately happen) and enter your bank account username and password here you'll get an "access denied" - which is perfectly okay, but - and this is the =20 *really bad* news - your bank account username and password will be returned in clear text by the dexia server, and hence stored in your browser cache where they can easily be retrieved by anyone who has access to your computer (if it hasn't already been captured via the network before...). solutions / suggestions: ssl encryption on the members' login page, and never return password field contents in clear text to the browser (especially if you're a =20 bank :-). note: even if you get the bank account username and password you'll still need a TAN code to access an account, so this doesn't give you direct access to someones online bank account. but it definately gets you *a lot* closer!!! finally: please reply, fix & credit within the usual timeframes. will be posted on bugtraq afterwards.... don't hesitate to contact me if you have further questions best regards jos kirps ------------------------------------------------------ Jos Kirps ----------------------------------------------------- 14, Cité op Gewännchen 4383 Ehlerange Luxembourg ----------------------------------------------------- jos@...ps.com http://www.kirps.com ----------------------------------------------------- joskirps@...glemail.com http://sourceforge.net/users/joskirps skype: joskirps, jos@...ps.com ----------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists