| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1184117973.9267.5.camel@localhost> Date: Tue, 10 Jul 2007 21:39:33 -0400 From: Jim Popovitch <yahoo@...pop.com> To: full-disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: Wachovia Bank website sends confidential information On Tue, 2007-07-10 at 20:20 -0400, Bob Toxen wrote: > VI. VENDOR RESPONSE > > The vendor (Wachovia Bank) was notified via their customer service > phone number on June 25. We were transferred to "web support". The > person answering asked us to FAX the details to her and we did so, > also on June 25. We explained that we were reporting a severe > security problem on their web site. Severe? All that seems to be leaked is a person's Name/Address/SSN number and some other details. While this is too much info to leak, I'd hardly say it's severe. That same info can be easily found in people's mailboxes weekdays between noon and 4pm. > We stated that that if we did not hear back from them within 7 days and > the problem was not fixed by then that we would post the problem on the > Full Disclosure list, following accepted industry practice. 7 days? "industry practice"? Come on Bob I know you know that large corporations can't feed a cat in 7 days let alone make unscheduled website changes that fast. Change control approvals alone would include 14 or more days in most enterprises. Why the rush to "say so"? -Jim P. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists