lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <1335884904.76560.YahooMailNeo@web140311.mail.bf1.yahoo.com>
Date: Tue, 1 May 2012 08:08:24 -0700 (PDT)
From: Kerry Adams <kerryadams604@...oo.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: South African Bank "security"

Dear Full-Disclosure,

ABSA Bank South Africa, "a member of the Barclays Group", has a division named "ABSA stock brokers".  ABSA stock brokers sends out "secure email" for statements, etc.  This consists of an attached HTML form (plaintext) which submits a user name and password by https to digibroker.co.za, which displays the actual statement.

This, unfortunately, leaves ample room for rank outsiders to provide similar mail and collect passwords, if they can just get past that fiendishly complex base64 encryption.  The following sample of only slightly doctored "secure email" is provided for educational purposes only:

http://pastebin.com/1FjqMcCq


Timeline:
    Last week: vendor notified
    This week: publication

Vendor describes their security as follows at https://www.absastockbrokers.co.za/ :

Absa Stockbrokers is committed to making sure that your online experience is safe and secure. Absa Stockbrokers uses multiple levels of security, and state-of-the-art Internet technology, beginning with your browser and ending with our own security infrastructure to ensure that access to your accounts is private and secure. Further information can be found under Security Centre on the main Absa website.


Secure Email: All contract notes (broker notes) and monthly statements delivered via email are encrypted for your protection. In order to decrypt the secure emails, the nominated email recipient is required to register on the Absa Stockbrokers website. See Secure Email under FAQ's.  


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists