Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Major UK Bank Web Sites With Serious Security Flaws

from [Juergen Schmidt] Network Security [Permanent Link]
Subject: [Full-disclosure] Major UK Bank Web Sites With Serious Security Flaws
Date: Wed, 27 Sep 2006 16:54:37 +0200 (CEST) 
Major UK Bank Web Sites With Serious Security Flaws

Tests conducted by heise Security show that the online
banking web sites of eight major UK Banks are
vulnerable to long known security issues.

NatWest, Cahoot, Bank of Scotland, Bank of Ireland,
First Direct and Link use frames on their web
sites. This means that customers of those banks using
Internet Explorer, in the default configuration, are
vulnerable to frame spoofing attacks. This issue has
been known since 1998.  Incidentally, the same kind of
attack works (mis)using the site of 'The Dedicated
Cheque and Plastic Crime Unit', a bank sponsored police
force.

UBS and the Bank of England are vulnerable to very
simple cross site scripting attacks.

All vulnerabilties could be used by attackers to mount
advanced phishing attacks, using the context of the
original banking site. The user still sees a valid
certificate and the correct address in the address bar.

heise Security has informed all eight banks and has set
up demos that illustrate these problems. Three banks
have already reacted and changed their sites. Nat West
removed the name of the frame, so that simple attacks
no longer work. However the frame can still be
addressed and modified using JavaScript. Bank of
England updated their vulnerable application to filter
user input. UBS changed their online banking
application twice, but is still not filtering user
input sufficiently.

You can find more details and concrete, working
demonstrations of the security problems in the article
"You can't bank on security" on
http://www.heise-security.co.uk/articles/76590

bye, ju

--
Juergen Schmidt
editor-in-chief
heise Security



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Major UK Bank Web Sites With Serious Security Flaws, Juergen Schmidt <=
Previous by Date:  Re: [Full-disclosure] VML Exploit vs. AV/IPS/IDS signatures, avivra
Next by Date:  [Full-disclosure] [ GLSA 200609-17 ] OpenSSH: Denial of Service, Sune Kloppenborg Jeppesen
Previous by Thread:  Re: [Full-disclosure] Rothman: Belva's a Joker (was Could InfoSec beWorse than Death?), Kenneth F. Belva
Next by Thread:  [Full-disclosure] [ GLSA 200609-17 ] OpenSSH: Denial of Service, Sune Kloppenborg Jeppesen
Indexes:  [Date] [Thread] [Top] [All Lists]