lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <1335884904.76560.YahooMailNeo@web140311.mail.bf1.yahoo.com> Date: Tue, 1 May 2012 08:08:24 -0700 (PDT) From: Kerry Adams <kerryadams604@...oo.com> To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk> Subject: South African Bank "security" Dear Full-Disclosure, ABSA Bank South Africa, "a member of the Barclays Group", has a division named "ABSA stock brokers". ABSA stock brokers sends out "secure email" for statements, etc. This consists of an attached HTML form (plaintext) which submits a user name and password by https to digibroker.co.za, which displays the actual statement. This, unfortunately, leaves ample room for rank outsiders to provide similar mail and collect passwords, if they can just get past that fiendishly complex base64 encryption. The following sample of only slightly doctored "secure email" is provided for educational purposes only: http://pastebin.com/1FjqMcCq Timeline: Last week: vendor notified This week: publication Vendor describes their security as follows at https://www.absastockbrokers.co.za/ : Absa Stockbrokers is committed to making sure that your online experience is safe and secure. Absa Stockbrokers uses multiple levels of security, and state-of-the-art Internet technology, beginning with your browser and ending with our own security infrastructure to ensure that access to your accounts is private and secure. Further information can be found under Security Centre on the main Absa website. Secure Email: All contract notes (broker notes) and monthly statements delivered via email are encrypted for your protection. In order to decrypt the secure emails, the nominated email recipient is required to register on the Absa Stockbrokers website. See Secure Email under FAQ's. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists